web
You’re offline. This is a read only version of the page.
close
Skip to main content

Notifications

Announcements

Welcome to the Power Platform Communities
Season of Giving Solutions is Here!
Explore Copilot Studio Forums, Blogs & Galleries!
News and Announcements icon
Community site session details

Community site session details

Session Id :
Power Platform Community / Forums / Power Pages / Implement Content Secu...
Power Pages
Answered

Implement Content Security Policy in Power pages site

(0) ShareShare
ReportReport
Posted on by NikhilDey 26

Hello team,
We are trying to implement content security policy in our web site, but while applying the same in our portal management for our site CSS and JS are getting affected. We tried to add attribute "nonce" in the script and style tag but we need to provide some cryptographic number as value to it, which will be same in the "HTTP/Content-Security-Policy" header. But whenever we are trying to concatenate nonce with some cryptographic value in the above header, the site checker is getting failed.

How can we resolve the above issue, and implement the Content-Security-Policy in our power pages site?

NikhilDey_0-1693223829941.png

 

 

Categories:
Security
I have the same question (0)
  • Verified answer
    OOlashyn Profile Picture
    OOlashyn 3,496 Most Valuable Professional on at

    Hi @NikhilDey ,

    You don't need to provide a value for nonce with Power Pages. If you set your Site Setting "HTTP/Content-Security-Policy" to script-src https: 'nonce' Power Pages will automatically add the correct randomly generated string to your inline code. However, nonce in Power Pages works only with inline scripts and inline event handlers meaning that only code written as inline script or in Custom Javascript field will work properly. Regarding CSS - I am not sure that Power Pages supports it.

  • NikhilDey Profile Picture
    NikhilDey 26 on at

    Thank you for your reply @OOlashyn.

    When we are trying to add "HTTP/Content-Security-Policy" value as "script-src https: 'nonce'", some of the scripts are not getting executed. For example: The script tag which is present by default in the header file is not getting executed for us.

  • OOlashyn Profile Picture
    OOlashyn 3,496 Most Valuable Professional on at

    Can you check if nonce was added by the system to that script tag or is it missing it? By header file you mean Header web template or something else?

  • NikhilDey Profile Picture
    NikhilDey 26 on at

    Nonce is getting added to some of the inline scripts but it's not getting affected in the script explicitly mentioned in the Header web template. We are getting the below error where the scripts are not getting nonce feature: "Refused to execute inline script because it violates the following Content Security Policy directive:" 

    The same CSP feature we tried to apply in some different site, there the nonce feature is working for the same script in Header web template file.

  • segfa112 Profile Picture
    segfa112 28 on at

    hi @NikhilDey  if I need to show or hide information could I use this solution? I was reading about dataverse permissions. 

  • OOlashyn Profile Picture
    OOlashyn 3,496 Most Valuable Professional on at

    I tested it on my instance and if I add the inline script to the Header web template it works fine with the nonce setting. I would advise you to open a support ticket with Microsoft as Power Pages should add a nonce to every inline script.

  • Verified answer
    NikhilDey Profile Picture
    NikhilDey 26 on at

    Thanks @OOlashyn ,
    The CSP nonce is not getting applied in some scripts of our web page because of the Content snippet added just before those scripts. After removing the content snippet, the CSP got applied to each and every scripts.

  • khareabhishek1 Profile Picture
    khareabhishek1 2 on at

    Adding nonce for script-srs works by adding the nonce value to most of the inline script. But you need to ensure to purge cache or restart site before testing changes. have wasted some time.

    problem is adding nonce also generated the hash and unsafe-eval and unsafe-hashes' directive which again generates other security warning on pages. Just sharing my experience for future reference if anyone come looking for it.

     

  • apangeles_ Profile Picture
    apangeles_ 42 on at
     
    How did you solve the issue with it generating hashes when nonce is enabled?

Under review

Thank you for your reply! To ensure a great experience for everyone, your content is awaiting approval by our Community Managers. Please check back later.

Helpful resources

News and Announcements

Welcome to the Power Platform Communities
Season of Giving Solutions is Here!
Explore Copilot Studio Forums, Blogs & Galleries!

Quick Links

Forum hierarchy changes are complete!

In our never-ending quest to improve we are simplifying the forum hierarchy…

Ajay Kumar Gannamaneni – Community Spotlight

We are honored to recognize Ajay Kumar Gannamaneni as our Community Spotlight for December…

Congratulations to the November Top 10 Community Leaders!

These are the community rock stars!

Leaderboard > Power Pages

#1
Fubar Profile Picture

Fubar 74 Super User 2025 Season 2

#2
Jerry-IN Profile Picture

Jerry-IN 55

#3
sannavajjala87 Profile Picture

sannavajjala87 31

Last 30 days Overall leaderboard

Featured topics

Solution to LinkedIn Authentication in Power Apps Portals
Welcome to the Power Pages forum!

Product updates

Microsoft Power Platform Community release plans