Standards - Content Security Policy

Created by: Administrator, Last modification: 22 August 2025

Having added 'nonce' to the websites I need to document just what it means. The bitweaver system has always added a ticket to each session and used it to check the returned posts were from the right user. This value is now being used to populate the nonce tag on each <script> and also on the associated css files. The main problem here is that packages like ckeditor build scripts and style sheets dynamically, so this causes problems when one can't get at these files easily to add nonce tags to every one. My short term fix is simply to disable CSP when I'm logged in since nobody other than me currently has edit access anyway, but this has to be work in progress.