Custom java script disabled after update to 15.2.3 HF2

dodster

Prior to the security update, Our Organization was applying customisations on the MFT login page which were used for Multi-factor authentication. This was done by our MFA provider using the following method:

Our Organization developed MFA login support  to HTML MFT Domain by adding a single line to the custom Footer.htm 

<script type="text/javascript" src="/%25CUSTOM_HTML_DIR%25/prefill.js"></script>

 

This “prefill.js” script then does all the needed work to add the additional fields and buttons to support the MFA login.

               

Since upgrading to MFT 15.2.3, we have lost the ability to use javascript within the HTML templates as per our MFA providers comments:  

The issue is that after the patch, Serv-U now populates the Content-Security-Policy response header as script-src 'nonce-33D450ABE161E0C9D6C13CE5F37637CB'

(the nonce changes with each refresh of course)

This disables all other javascript within the page, both inline and with reference back to the server.

 

Can you please advise how we can achieve the login page customisations for MFT version 15.2.2?

dodster

Solarwinds support provided response and resolution

Here's the update from our Developer:

To enable scripts in Custom html and css files, customer has to add %CSP_NONCE_USAGE_ATTR% to every "<script" element, As an example, let's use the element, Customer refered in his report:

<script type="text/javascript" src="/%25CUSTOM_HTML_DIR%25/prefill.js"></script>

now it should be

<script %CSP_NONCE_USAGE_ATTR% type="text/javascript" src="/%25CUSTOM_HTML_DIR%25/prefill.js"></script>

When browsing, this additional attribute in the element will be replaced with the randomly generated nonce: