You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Is your feature request related to a problem? Please describe.
XSLT style sheet is considered a script in CSP: https://csplite.com/csp/test176/
Content Security Policy: XSLT loading of stylesheets from an XML document is blocked in the script-src directive, CSP considers XSLT stylesheets a script.
If we choose to use script-dynamic, host-based allowlisting is disabled, so we have to use nonce with the loading of the XSL, or we get the following error: Refused to load the script 'https://www.domainname.com/sitemap.xsl' because it violates the following Content Security Policy directive: "script-src-elem 'nonce-mIjedhiK0gOc7lkd+LJDYg==' 'strict-dynamic' 'self' 'unsafe-inline' https: https://*.googleapis.com https://*.google.com https://*.gstatic.com data: https://*.domain.com". Note that 'strict-dynamic' is present, so host-based allowlisting is disabled.
Describe the solution you'd like
Please allow the addition of a nonce into the Sitemap XSL url so we can reliably load this with the CSP set to be strict-dynamic
Is your feature request related to a problem? Please describe.
XSLT style sheet is considered a script in CSP: https://csplite.com/csp/test176/
Content Security Policy: XSLT loading of stylesheets from an XML document is blocked in the script-src directive, CSP considers XSLT stylesheets a script.
If we choose to use script-dynamic, host-based allowlisting is disabled, so we have to use nonce with the loading of the XSL, or we get the following error:
Refused to load the script 'https://www.domainname.com/sitemap.xsl' because it violates the following Content Security Policy directive: "script-src-elem 'nonce-mIjedhiK0gOc7lkd+LJDYg==' 'strict-dynamic' 'self' 'unsafe-inline' https: https://*.googleapis.com https://*.google.com https://*.gstatic.com data: https://*.domain.com". Note that 'strict-dynamic' is present, so host-based allowlisting is disabled.Describe the solution you'd like
Please allow the addition of a nonce into the Sitemap XSL url so we can reliably load this with the CSP set to be
strict-dynamicExample:
<?xml-stylesheet type="text/xsl" href="https://www.domain.com/sitemap.xsl"? nonce="nonce-mIjedhiK0gOc7lkd+LJDYg==">Additional context
https://csplite.com/csp/test176/
The text was updated successfully, but these errors were encountered: