I use nodejs to add CSP header to response:
content-security-policy:
script-src 'self' 'strict-dynamic' 'nonce-ip2nIKQXr2iAdA3uOZho5Q==' blob:;connect-src 'self' data: blob:;style-src 'self' 'unsafe-inline';img-src 'self' data:;object-src 'none';base-uri 'none';form-action 'none';
Everything seem be ok but when i use iframe
{ id: "id_iframe", view: "iframe", borderless: true }
It show an error on console (F12 - Develope):
html.js:105 Refused to execute inline event handler because it violates the following Content Security Policy directive: "script-src 'self' 'strict-dynamic' 'nonce-ip2nIKQXr2iAdA3uOZho5Q==' blob:". Either the 'unsafe-inline' keyword, a hash ('sha256-...'), or a nonce ('nonce-...') is required to enable inline execution. Note that hashes do not apply to event handlers, style attributes and javascript: navigations unless the 'unsafe-hashes' keyword is present.
I have use nonce for every script (“PlaceholderNonce” that will change by every request by nodejs) and script below on index.html:
<script nonce="PlaceholderNonce" src="public/webix.js"></script>
<script nonce="PlaceholderNonce">
window.webix_strict = true;
</script>