Skip to main content

Cookiebot custom script ignoring nonce and being blocked by CSP

Comments

6 comments

  • Rafael Soares

    Hi @Maria, the script isn't being blocked by Cookiebot, it's being blocked by the browser, due to the missing CSP `nonce` attribute.

    When `uc.js` injects the custom inline script tag, it should add the `nonce` attribute to indicate to the browser that the inline script can be trusted (a behaviour similar to other script-injecting tools, like Google Tag Manager).

    For more information: https://content-security-policy.com/nonce/

    0
  • Travis Miller

    I'm having the same issue.

    It looks like uc.js clones the other <script> tags on the page, in dequeueNonAsyncScripts().

    However, it seems that the nonce="" attribute isn't being copied over to the clone (or something like that). Interestingly, this problem only seems to happen with inline scripts (i.e., <script> doSomething(); </script>), and not with .js files (i.e., <script src="somefile.js"></script>).

    As a result, the browser refuses to execute the cloned script, because it doesn't have a nonce, so it violates the Content-Security-Policy.

     

    2
  • Rafael Soares

    Travis Miller

    it seems that the nonce="" attribute isn't being copied over to the clone

    It's because the nonce attribute is hidden from the <script> element attributes list, for security.

    https://developer.mozilla.org/en-US/docs/Web/HTML/Global_attributes/nonce#accessing_nonces_and_nonce_hiding

    this problem only seems to happen with inline scripts (i.e., <script> doSomething(); </script>), and not with .js files (i.e., <script src="somefile.js"></script>).

    That's to be expected if your CSP allows the src of the script (eg. "script-src 'self'" for your example). Inline scripts are usually blocked by CSP, since it's a common vector of attack.

    0
  • Scott

    I'm having a similar issue with GTM. I also noticed what Travis has noticed, I think the script gets injected with incorrect nonce values, guessing this is because if I land on a page for the first time, cookiebot will take a snapshot of the scripts it blocks and their nonce values, and seeing as these values need to be unique per request, when i accetp cookies and refresh the page, a new nonce attribute is generated but the scripts are injected into the html with the original nonce values.

    If this is the case (would you be able to confirm?) it would be good if we could provide the uc.js script a nonce attribute, and that could get used on the injected scripts

     

    0
  • Magne

    Would strict-dynamic in the script-src list in the CSP-header do the trick? I think that would propagate the trust provided to scripts by the nonce value to scripts injected by the script itself.  

    0
  • NicoleAWelch

    https://developer.mozilla.org/en-US/docs/Web/HTML/Global_attributes/nonce#accessing_nonces_and_nonce_hiding

    this problem only seems to happen with inline scripts (i.e., <script> doSomething(); </script>), and not with .js files (i.e., <script src="somefile.js"></script>).

    That's to be expected if your CSP allows the src of the script (eg. "script-src 'self'" for your example). Inline scripts are usually blocked by CSP, since it's a common vector of attack site .

    0

Please sign in to leave a comment.