- Newest
- Most votes
- Most comments
Hi,
Thanks for your question and it seems we missed on our backlog. I am really sorry for that. Can you please confirm if you still have issues?
I believe that this issues it is related to CORS - cross-origin resource sharing How do I resolve the "No 'Access-Control-Allow-Origin' header is present on the requested resource" error from CloudFront? -> https://aws.amazon.com/premiumsupport/knowledge-center/no-access-control-allow-origin-error/
Looking forward for hearing back from you.
Im running with the same issue, we need the "nonce-xxx" csp to in cloudfront, there is no way to make it dynamically generated.
First off if you view the source code in Chrome or FF developer tools it blanks the nonce attribute (nonce=""
) so it is obfuscated but it is still present in the DOM. You can confirm this if you pop up the context menu (right-click) and View Source. The nonce will show if it is being served there.
To solve the main problem of squeezing the nonce value into the CSP served by a CloudFront Response Policy you can use a CloudFront function. We have our origin / HTTP server return the nonce it used in the HTML in a custom header. We then use a Viewer Response CloudFront Function to extract this nonce value (remembering to delete the custom header), and then insert it dynamically into the Content-Security-Policy HTTP header value. We've not had any issues with this solution so far.
Hope this helps.
Relevant content
- Accepted Answerasked a month ago
- AWS OFFICIALUpdated 9 months ago
- AWS OFFICIALUpdated 2 years ago
- AWS OFFICIALUpdated 2 years ago
- AWS OFFICIALUpdated a year ago
Did you solve the problem? I running with the same issues as well