CSP blocks the delay script block

[phiw13]

Textpattern 4.9dev, plugin version:4.9.0-beta.

Relevant CSP setting: script-src-elem 'strict-dynamic' '<txp:smd_token name="csp_token" prefix="nonce-" />'

Add a honeypot field to the form: <txp:com_connect_text hidden label="" name="r_u_human" default="yes" expected="yes" delay="6" required="0" />

The script block as inserted

<script>document.addEventListener("DOMContentLoaded", () => {
    let theForm = document.getElementById('com31f8a29dd4f03ba39d7ddc447d33add7');
    theForm.addEventListener("focusin", (ev) => {
    setTimeout(function() {
    let fedadccecfb = document.getElementById("com31f8a29dd4f03ba39d7ddc447d33add7");
    fedadccecfb.insertAdjacentHTML('beforeend', '<input class="comText" id="r_u_human" name="r_u_human" type="text" value="yes" maxlength="100" form="com31f8a29dd4f03ba39d7ddc447d33add7" hidden>');
}, (["6"][["6"].length * Math.random() | 0]) * 1000);
}, { once: true })
});</script>

The browser blocks this as no nonce is specified.

Expected: <script nonce="xxxxxx">…</script>

Result: on submitting the form it is treated as spam.

[phiw13]

I should have noted this. The nonce is added to each script or style via the smd_token plugin and
script src="nnnnn" nonce="<txp:smd_token name="csp_token" />"></script>. The value is generated once at the very start of the page template.

[Bloke]

That's really odd. com_connect uses script_js() to inject the delay JavaScript code, which is internally wired to use UI\Script, which is internally wired to add CSP nonces where necessary. We'll have to try and chase this through to find out why it's not adding them to the page in this case.

Thank you for the report.

[phiw13]

Hmm. This the public side of the website. How would that detect how the nonce is currently generated (currently via the smd_token plugin)? If some ideas discussed in issue 1933 are implemented that might be possible. For nowI have to add the nonce in my templates.