Hello guys,
i have a question regarding CSP unsafe-inline of RenderEPiServerQuickNavigator.
It renders script like this:
<link rel="stylesheet" type="text/css" href="/Util/styles/quicknavigator.css" /><script type="text/javascript" src="/Util/javascript/quicknavigator.js"></script><script type="text/javascript">
//<![CDATA[
(function () { new epi.QuickNavigator({"menuItems":{"dashboard":{"caption":"Dashboard","url":"/Smarthouse","javascript":null,"enabledScript":"true","imageUrl":null},"editMode":{"caption":"CMS Edit","url":"/Smarthouse/CMS/?language=en#context=epi.cms.contentdata:///9","javascript":null,"enabledScript":"true","imageUrl":null}},"menuTitle":"Episerver","defaultUrl":""}); }());
//]]></script>How can i add a nonce value to the inline script to avoid csp violation? The only way i see is using string replace.
Pseudo code:
public static IHtmlString RenderEPiServerQuickNavigatorWithCspNonce(this HtmlHelper htmlHelper, string partialViewName = "QuickNavigator")
{
if (PageEditing.PageIsInEditMode || !PathAccessChecker.HasEditAccess(PrincipalInfo.CurrentPrincipal) || ServiceLocator.Current.GetInstance<IDatabaseMode>().DatabaseMode == DatabaseMode.ReadOnly)
{
return htmlHelper.Raw(string.Empty);
}
QuickNavigatorMenu quickNavigatorMenu = new QuickNavigatorMenu();
List<KeyValuePair<string, QuickNavigatorMenuItem>> quickNavigatorMenuProviders =
ServiceLocator.Current.GetAllInstances<IQuickNavigatorItemProvider>()
.OrderBy(p => p.SortOrder)
.SelectMany(provider => provider.GetMenuItems(quickNavigatorMenu.CurrentContentLink))
.ToList();
quickNavigatorMenuProviders.ForEach(item => quickNavigatorMenu.Items.Add(item));
quickNavigatorMenu.RegisterRequiredResources();
return ReplaceQuickNavigatorScriptWithNonceScript(htmlHelper.RequiredClientResources(partialViewName));
}Regards,
Tim