Helmet and contentSecurityPolicy and using nonce AND adding it but still getting error
I am a newbie here but I noticed that in your error:
Refused to load the script '<URL>' because it violates the following Content Security Policy directive: "script-src 'unsafe-eval' 'unsafe-inline' nonce-a449a007188e909846c2e74148c3e1b0
the nonce-a449a007188e909846c2e74148c3e1b0
is lacking the '
s so I would consider modifying your contentSecurityPolicy
function as:
export default function contentSecurityPolicy(nonce) { return helmet.contentSecurityPolicy({ directives: { defaultSrc: trusted, scriptSrc: [ "'unsafe-eval'", "'unsafe-inline'", `'nonce-${nonce}'`, 'https://www.googletagmanager.com', '*.googletagmanager.com', ].concat(trusted), ... } });}
Add the '
s when writting the nonce-${nonce}
part.
Reference: Helmet JS in the Reference > helmet.contentSecurityPolicy(options) > Examples > // Sets "Content-Security-Policy: default-src 'self';script-src 'self' 'nonce-e33ccde670f149c1789b1e1e113b0916'" section