Default CSP value for script-src does not allow to load portal inline script
In portal we use inline script:
<script type="application/init">
{
"displaytab":"<TMPL_VAR NAME="DISPLAY_TAB">",
"choicetab":"<TMPL_VAR NAME="CHOICE_VALUE">",
"login":"<TMPL_VAR NAME="LOGIN">",
"newwindow":<TMPL_VAR NAME="NEWWINDOW" DEFAULT="0">,
"appslistorder":"<TMPL_VAR NAME="APPSLIST_ORDER">",
"scriptname":"<TMPL_VAR NAME="SCRIPT_NAME">",
"activeTimer":<TMPL_VAR NAME="ACTIVE_TIMER" DEFAULT="0">,
"pingInterval":<TMPL_VAR NAME="PING" DEFAULT="0">,
"trOver":<TMPL_VAR NAME="TROVER" DEFAULT="[]">
}
</script>
But default CSP for script-src is 'self'
so this inline script can't be executed.
We should either add 'unsafe-inline'
, or we could maybe compute a nonce to add more security (see https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/script-src)