Content Security Policy and Non

Developing with Concrete
1

Hi all.

Can someone point me in the right direction for creating a Content Security Policy on one of my C5 sites? I am able to do the basics of adding Google Fonts and that kind of stuff but where I get stuck is the inline styles and scripts. I was able to create a Nonce by doing this…

<?php $nonce = bin2hex(random_bytes(16)); // Generate a 32-character random hexadecimal nonce 
$csp = "default-src 'self'; ";
$csp .= "script-src 'self' 'nonce-$nonce' https://www.googletagmanager.com; ";
$csp .= "style-src 'self' https://fonts.googleapis.com https://cdn.jsdelivr.net; ";
$csp .= "img-src 'self'; ";
$csp .= "font-src 'self' https://fonts.gstatic.com; "; 
$csp .= "connect-src 'self' https://www.google-analytics.com; ";

header("Content-Security-Policy: $csp"); ?>

and then…

<script nonce="<?=$nonce?>">
   ...whatever
</script>

but there is this C5 created script right in the header that I am not sure how to add the nonce to…

<script type="text/javascript">
    var CCM_DISPATCHER_FILENAME = "/index.php";
    var CCM_CID = 1;
    var CCM_EDIT_MODE = false;
    var CCM_ARRANGE_MODE = false;
    var CCM_IMAGE_PATH = "/concrete/images";
    var CCM_APPLICATION_URL = "https://domain.com";
    var CCM_REL = "";
    var CCM_ACTIVE_LOCALE = "en_US";
    var CCM_USER_REGISTERED = false;
</script>

additionally adding nonce=“<?=$nonce?>” within a custom block gives me an undefined variable error.

Any insight would be greatly appreciated.
C

2

It comes from the header_required.php element.

Themes will include it and also pass in some variables (so you don’t get undefined variable errors). You can see an example of how that’s done in the Atomik theme here: concretecms/concrete/themes/atomik/elements/header_top.php at 9.3.x · concretecms/concretecms · GitHub

3

Thanks. I looked at those files for reference and was able to pass the $nonce to the header_required.php element by overriding it in my applications folder but right underneath the script I first referenced is another that I am not sure how to add the $nonce value to.

Basically my question is… is there anyway to run C5 without having ‘unsafe-inline’ in the ‘script-src’ CSP? I feel like this is something that has an easy solution and maybe I am just going about it the wrong way.

4

Ah, I see the problem now. You might be interested in this discussion: Proposal: CSP integration · Issue #10508 · concretecms/concretecms · GitHub