CSP blocks the delay script block #94
Description
Textpattern 4.9dev, plugin version:4.9.0-beta.
Relevant CSP setting: script-src-elem 'strict-dynamic' '<txp:smd_token name="csp_token" prefix="nonce-" />'
Add a honeypot field to the form: <txp:com_connect_text hidden label="" name="r_u_human" default="yes" expected="yes" delay="6" required="0" />
The script block as inserted
<script>document.addEventListener("DOMContentLoaded", () => {
let theForm = document.getElementById('com31f8a29dd4f03ba39d7ddc447d33add7');
theForm.addEventListener("focusin", (ev) => {
setTimeout(function() {
let fedadccecfb = document.getElementById("com31f8a29dd4f03ba39d7ddc447d33add7");
fedadccecfb.insertAdjacentHTML('beforeend', '<input class="comText" id="r_u_human" name="r_u_human" type="text" value="yes" maxlength="100" form="com31f8a29dd4f03ba39d7ddc447d33add7" hidden>');
}, (["6"][["6"].length * Math.random() | 0]) * 1000);
}, { once: true })
});</script>
The browser blocks this as no nonce is specified.
Expected: <script nonce="xxxxxx">…</script>
Result: on submitting the form it is treated as spam.