2023-07-05 15:11:16 +02:00
|
|
|
---
|
|
|
|
title: nonce contained invalid characters
|
|
|
|
---
|
2022-09-09 00:17:15 +02:00
|
|
|
|
2023-07-05 15:11:16 +02:00
|
|
|
## Why This Error Occurred
|
2022-09-09 00:17:15 +02:00
|
|
|
|
|
|
|
This happens when there is a request that contains a `Content-Security-Policy`
|
|
|
|
header that contains a `script-src` directive with a nonce value that contains
|
|
|
|
invalid characters (any one of `<>&` characters). For example:
|
|
|
|
|
|
|
|
- `'nonce-<script />'`: not allowed
|
|
|
|
- `'nonce-/>script<>'`: not allowed
|
|
|
|
- `'nonce-PHNjcmlwdCAvPg=='`: allowed
|
|
|
|
- `'nonce-Lz5zY3JpcHQ8Pg=='`: allowed
|
|
|
|
|
2023-07-05 15:11:16 +02:00
|
|
|
## Possible Ways to Fix It
|
2022-09-09 00:17:15 +02:00
|
|
|
|
|
|
|
Replace the nonce value with a base64 encoded value.
|
|
|
|
|
2023-07-05 15:11:16 +02:00
|
|
|
## Useful Links
|
2022-09-09 00:17:15 +02:00
|
|
|
|
|
|
|
- [Content Security Policy Sources](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/Sources#sources)
|