Add a nonce
attribute to <script>
elements
With a nonce-based CSP, every <script>
element must have a nonce
attribute
which matches the random nonce value specified in the CSP header (all scripts
can have the same nonce). The first step is to add these attributes to all
scripts:
Blocked by CSP
<script src="/path/to/script.js"></script>
<script>foo()</script>
Allowed by CSP
<script nonce="${NONCE}" src="/path/to/script.js"></script>
<script nonce="${NONCE}">foo()</script>