web
You’re offline. This is a read only version of the page.
close
Skip to main content

Notifications

Announcements

Welcome to the Power Platform Communities
Season of Giving Solutions is Here!
Explore Copilot Studio Forums, Blogs & Galleries!
News and Announcements icon
Community site session details

Community site session details

Session Id :
Power Platform Community / Forums / Power Pages / CSP script-src has 'no...
Power Pages
Answered

CSP script-src has 'nonce' enabled but still has sha256-...

(1) ShareShare
ReportReport
Posted on by apangeles_ 42
Hi community,
 
I'd like to ask for clarification as to why this is happening. In our CSP, I placed the recommended value, script-src 'self' content.powerapps.com 'nonce'. Expecting that it will generate a nonce value in the script and CSP, it did. But our IT team was not okay with the fact that there were sha256-... hashes in the CSP. Like I said, only 'self', content.powerapps.com, and 'nonce' are placed inside the CSP value. Why are these sha256 values here? And should our IT team be worried? I told them that these wouldn't make the website insecure, having the values present. But what they want is to not have the hashing method present, which is SHA-256. What to do? 
 
Thank you in advance, and regards,
Adrian
Categories:
General topics
I have the same question (0)
  • Verified answer
    oliver.rodrigues Profile Picture
    oliver.rodrigues 9,368 Most Valuable Professional on at
    the sha-256 hash is generate automatically by Power Pages
     
    My understanding is that they are used internally and should not represent any security concern here. I can't find anything official from Microsoft on what they are used for, but I wouldn't be worried here.
     
    Also note that your actual scripts won't have the nonce value by default in the HTML code, that's because they are rendered server-side before the nonce value is generated, this is also expected 
  • apangeles_ Profile Picture
    apangeles_ 42 on at
     
    This is also what we suspect. Since if we enable nonce either manual input in the site settings, or enabling it in Power Pages' website maker, the backend script changes to include nonces in them. When you remove the nonce, it returns back to the original script. We suspect that this change also brings the setting to inject these SHA-2 hashes in the website and are a functional or stylistic requirement by Power Pages for it to run. 
     
    The complication here is, you're correct, that there is no documentation to support this claim. I've already opened a ticket with Microsoft but I've yet to receive a response from them. I hope it all goes well. 
     
    Without this reference from Microsoft, we do not have any justification for our IT security team to let us pass their VAPT testing. It's already been a frustrating set of weeks trying to figure things out. 
     
    Thanks for your support, @oliver.rodrigues
     
    Could you advise us if our assumption is correct?
     
    Regards,
    apangeles_
  • Suggested answer
    oliver.rodrigues Profile Picture
    oliver.rodrigues 9,368 Most Valuable Professional on at
    I would keep putting pressure on Microsoft here to provide clarification.

    Security is a hot topic and they should give it some attention, but that's just my opinion.

Under review

Thank you for your reply! To ensure a great experience for everyone, your content is awaiting approval by our Community Managers. Please check back later.

Helpful resources

News and Announcements

Welcome to the Power Platform Communities
Season of Giving Solutions is Here!
Explore Copilot Studio Forums, Blogs & Galleries!

Quick Links

Forum hierarchy changes are complete!

In our never-ending quest to improve we are simplifying the forum hierarchy…

Ajay Kumar Gannamaneni – Community Spotlight

We are honored to recognize Ajay Kumar Gannamaneni as our Community Spotlight for December…

Congratulations to the November Top 10 Community Leaders!

These are the community rock stars!

Leaderboard > Power Pages

#1
Fubar Profile Picture

Fubar 78 Super User 2025 Season 2

#2
Jerry-IN Profile Picture

Jerry-IN 75

#3
sannavajjala87 Profile Picture

sannavajjala87 31

Last 30 days Overall leaderboard

Featured topics

Solution to LinkedIn Authentication in Power Apps Portals
Welcome to the Power Pages forum!

Product updates

Microsoft Power Platform Community release plans