web
You’re offline. This is a read only version of the page.
close
Skip to main content

Announcements

Agent Academy Hackathon is happening now!
Welcome to the Power Platform Communities
News and Announcements icon
Community site session details

Community site session details

Session Id :
Power Platform Community / Forums / Power Pages / Content Security Polic...
Power Pages
Unanswered

Content Security Policy and nonce

(0) ShareShare
ReportReport
Posted on by MH-02091453-0 125

Hi,

 

So I have created a portal that has liquid, javascript and fetch xml to make custom table and to perform CRUD operations and I have moved all my javascript to js webfiles but I don't understand how to enforce CSP while referring to these webfiles using inline scripts in my webtemplates.  For example 

<script type="text/javascript" src="/example.js"></script>
 
when I enforce site setting script-src 'self' - it doesn't the script to run...can we either call these scripts not doing it with inline scripting?  should I be adding the path to the directory for the script on the whitelist or do I need to use nonce to whitelist each inline script.
 
If I do need to use nonce how does it work how to I generate and pass the nonce value in the setting and in the javascript.  I cannot seem to find any documentation that I can understand for actually implementing this.
 
Thanks
Categories:
Security
I have the same question (0)
  • nhash Profile Picture
    nhash 6 on at

    Hi MichelleH,

     

    I am currently experiencing the same issue for my portal - have you been able to find a solution for this?

     

    Cheers,

    Naz

  • Fubar Profile Picture
    Fubar 8,491 Super User 2026 Season 1 on at

    @nhash not something I do, but I am not sure if you have already followed this or not https://learn.microsoft.com/en-us/power-pages/security/manage-content-security-policy#configure-csp 

  • nhash Profile Picture
    nhash 6 on at

    @Fubar thanks for responding. I've had a look at the documentation and it details how the CSP should be configured just fine. However, I believe the main issue includes how we can call and run a script function from an external web file (in my case particularly on web pages and basic forms) without violating a strict CSP. It would also be great if the documentation had some code examples for nonce generation and referencing for a script tag.

Under review

Thank you for your reply! To ensure a great experience for everyone, your content is awaiting approval by our Community Managers. Please check back later.

Helpful resources

News and Announcements

Agent Academy Hackathon is happening now!
Welcome to the Power Platform Communities

Quick Links

Introducing the 2026 Season 1 community Super Users

Congratulations to our 2026 Super Users!

Kudos to our 2025 Community Spotlight Honorees

Congratulations to our 2025 community superstars!

Congratulations to the April Top 10 Community Leaders!

These are the community rock stars!

Leaderboard > Power Pages

#1
Valantis Profile Picture

Valantis 49

#2
11manish Profile Picture

11manish 33

#3
Haque Profile Picture

Haque 28

Last 30 days Overall leaderboard

Featured topics

Solution to LinkedIn Authentication in Power Apps Portals
Welcome to the Power Pages forum!

Product updates

Microsoft Power Platform Community release plans