Content-Security-Policy (CSP) is a browser security mechanism that allows you to restrict how resources are loaded. This offers a very good protection from XSS in browsers that support it. See https://content-security-policy.com/ for more info.
When Content-Security-Policy is enabled it disables all inline JavaScript and Style. Many of the CF tags, such as cfform, cfwebsocket, and all of the CF UI tags generate inline JavaScript, and thus are not compatible with CSP by default.
There are two ways you can still allow the use of inline script or styles with CSP. First, by using a nonce, and second by whitelisting a hash (eg SHA-256) of the inline script. The nonce approach would work really well here and would allow CF users to use CSP on pages that have dynamically generated javascript.
The nonce must be a secure random string generated per request, something like generateSecretKey() could be used but ideally convert it to url safe base64. The CF user would need to have a way to obtain the nonce value used in the CF tags dynamically generated JS/CSS, so perhaps a function could be added: getRequestNonce() that would either generate or return the nonce per request. Then In the implementation of tags such as CFForm it would pass the nonce value into the inline script tags that it generates.Attachments:
Comments: