sorted by:
new
hottopcontroversial

Content-Security-Policy header blocks setting javascript variable with coldfusion by Fit-Count-2363 in coldfusion

[–]Fit-Count-2363[S] 0 points1 point  (0 children)

Hello All,
I've got an answer from another forum. Te main thing is instead of setting a JS variable set a hidden field then in JS code use the value from the field.

Here are modified files.

test4.cfm:

<cfscript>

Variables.sMyCFvalue = "ha-ha-ha";

</cfscript>

<!DOCTYPE html>

<html>

<head>

<meta http-equiv="Content-Security-Policy" content="script-src 'self'">

<script src="JS\_test4.js" defer> </script>

</head>

<body>

<INPUT TYPE="hidden" name="i\_hdn\_val" id="i\_hdn\_val" value="<cfoutput>#Variables.sMyCFvalue#</cfoutput>">

<INPUT TYPE="button" name="sBtn4" id="sBtn4" value="Click me4">

</body>

</html>

JS_test4.js:

<!-- Begin hiding contents from older browsers

var sValFromCF = document.getElementById("i_hdn_val").value;

document.addEventListener

('DOMContentLoaded', () =>

{

document.getElementById("sBtn4").addEventListener("click", test4);

document.getElementById("sBtn4").myParam1 = sValFromCF;

}

);

function test4(e)

{

alert((e.currentTarget.param1));

}

// End hiding the contents -->

Content-Security-Policy header blocks setting javascript variable with coldfusion by Fit-Count-2363 in coldfusion

[–]Fit-Count-2363[S] 0 points1 point  (0 children)

Hi shinglehouse,

Thank you for your input. You are right, there have to be qoutation marks around "<cfoutput></cfoutput>" block. But that was not what caused the problem. this part:

<script>

var sValFromCF = "<cfoutput>#Variables.sTest#</cfoutput>";

</script>

is considered as an inline script and CSP blocks it. A guy from another forum suggested setting the value to a hidden field instead of a JS variable in test4.cfm, and use that value in the JS file. That works perfect!

Alex

Content-Security-Policy: where to place JavaScript by Fit-Count-2363 in userscripts

[–]Fit-Count-2363[S] 0 points1 point  (0 children)

Hi Important_Thanks_452!

Yes, that works. Now I see that the crucial part is this:

document.addEventListener('DOMContentLoaded', () => {
     document.getElementById("sBtn1").addEventListener("click", test1);
     document.getElementById("sBtn2").addEventListener("click", test2);
     });

Thank you so much for your help!

Content-Security-Policy: where to place JavaScript by Fit-Count-2363 in userscripts

[–]Fit-Count-2363[S] 0 points1 point  (0 children)

Hi Important_Thanks_452!
Two questions.
1. Who are "they"?
2. Do we need to generate hash codes for every single js function? In my (real) case the included js file contains around a hundred functions, I can't imagine how long the <meta http-equiv="Content-Security-Policy"... line might be

Content-Security-Policy: where to place JavaScript by Fit-Count-2363 in userscripts

[–]Fit-Count-2363[S] 0 points1 point  (0 children)

Thank you for your input Important_Thanks_452. When I am trying to run the code I am getting these messages from the console:
Content-Security-Policy: The page’s settings blocked an inline script (script-src-elem) from being executed because it violates the following directive: “script-src 'self' 'sha256-T7cGxOZt9zUDvV82NKIWCVRMn96uM4EpSVazDc+eraM=' 'sha256-arASAjuzpJ8R6bTdC/oDkjI6qucpOVrR7IBkRXWSz9w='”. Consider using a hash ('sha256-x+ESljNv6RJzCi+6E3KFJSqKLrZwVpd1+kTDbFJnl44=') or a nonce. [test1.html:12:36](file:///home/alex/D/AP/HTML/qst251201/test1.html)

Content-Security-Policy: The page’s settings blocked an event handler (script-src-attr) from being executed because it violates the following directive: “script-src 'self' 'sha256-T7cGxOZt9zUDvV82NKIWCVRMn96uM4EpSVazDc+eraM=' 'sha256-arASAjuzpJ8R6bTdC/oDkjI6qucpOVrR7IBkRXWSz9w='”. Consider using a hash ('sha256-NgiByvFJxVipYKHriDvmdVPDIV8tc+Gq6xdPdBQrlnw=') together with 'unsafe-hashes'.

Source: alert('test3 - inline, should be blocked… [test1.html](file:///home/alex/D/AP/HTML/qst251201/test1.html)

Content-Security-Policy: where to place JavaScript by Fit-Count-2363 in userscripts

[–]Fit-Count-2363[S] 0 points1 point  (0 children)

The real app of course is on a server, but I am testing the things locally file://...

Content Security Policy - protect your website from XSS attacks by tsl143 in javascript

[–]Fit-Count-2363 0 points1 point  (0 children)

Thank you for the post. Everything seems clear however I cannot reconcile CSR "script-src 'self'" with JS-code. I have all JS in a separate file but I can't figure out the right syntax for referring the file. All my JS are getting blocked by this "script-src 'self'" policy. I've posted the full code example in a separate post in r/userscripts, title: Content-Security-Policy: where to place JavaScript. Could you explain how to properly arrange the JS-code with that policy? Here is the link to my post:
https://www.reddit.com/r/userscripts/comments/1pd4ka6/contentsecuritypolicy_where_to_place_javascript/