This guide is for website administrators that use a Content Security Policy (CSP) on their site.
Because a CSP allows website administrators to specify which domains the browser should consider to be valid sources of executable scripts, a CSP compatible browser will only execute scripts loaded in source files received from those whitelisted domains, ignoring all other scripts.
First of all, you’ll need to use a cryptographic nonce (number used once), giving iubenda
script tag a
nonce attribute. The
nonce value must match one in the list of trusted sources. For example:
Now, add the nonce to your
script-src directive, appended to the
Content-Security-Policy: script-src 'nonce-EDNnf03nceIOfn39fn3e9h3sdfa'
So, for example, in Cookie Solution’s case, the implementation will look something like:
Please note that the nonce has been added only to the inline script. We’ll see how to handle external scripts in the next step.
Remember that nonces must be regenerated for every page request and they must be unguessable.
Now you need to allow content from iubenda’s domain and subdomains so that external scripts can load from there. Here’s how to configure the Content Security Policy:
Content-Security-Policy: default-src 'self'; script-src 'self' *.iubenda.com 'nonce-EDNnf03nceIOfn39fn3e9h3sdfa' 'unsafe-eval'; connect-src *.iubenda.com; style-src 'unsafe-inline' *.iubenda.com; frame-src *.iubenda.com *.consensu.org; img-src *.iubenda.com data:
And that’s it. You can find more information about CSP and common use cases at MDN Web Docs.