Prior to the security update, Our Organization was applying customisations on the MFT login page which were used for Multi-factor authentication. This was done by our MFA provider using the following method:
Our Organization developed MFA login support to HTML MFT Domain by adding a single line to the custom Footer.htm
<script type="text/javascript" src="/%25CUSTOM_HTML_DIR%25/prefill.js"></script>
This “prefill.js” script then does all the needed work to add the additional fields and buttons to support the MFA login.
Since upgrading to MFT 15.2.3, we have lost the ability to use javascript within the HTML templates as per our MFA providers comments:
The issue is that after the patch, Serv-U now populates the Content-Security-Policy response header as script-src 'nonce-33D450ABE161E0C9D6C13CE5F37637CB'
(the nonce changes with each refresh of course)
This disables all other javascript within the page, both inline and with reference back to the server.
Can you please advise how we can achieve the login page customisations for MFT version 15.2.2?
