Content-Security-Policy header blocks seting javascript variable with coldfusion

Forum|Forum|19 days ago
January 28, 2026
0 replies
3 views

Hello everybody!

I am working on removing all my inline JS codes. As an exapmle I've created a simple coldfusion (CF) template with a button.

In a separate javascript file I define the function which is called when the button is pressed.
This function is to have an argument through which I pass a value to be displayed.

test4.cfm:

<cfscript>
 Variables.sTest = "ha-ha-ha";
</cfscript>


<!DOCTYPE html>
<html>
  <head>
    <title>Test4</title>

    <meta http-equiv="Content-Security-Policy" content="script-src 'self' http://localhost:8500/TEST/JS_test4.js">

    <script>
     var sValFromCF = <cfoutput>#Variables.sTest#</cfoutput>;
    </script>

    <script src="JS_test4.js" defer> </script>

  </head>


  <body>

    <INPUT TYPE="button" name="sBtn4" id="sBtn4" value="Click me4">

  </body>

</html>

JS_test4.js:

<!-- Begin hiding contents from older browsers

document.addEventListener
 ('DOMContentLoaded', () => 
  {
   document.getElementById("sBtn4").addEventListener("click", test4);
   document.getElementById("sBtn4").myParam1 = sValFromCF;
  }
 );


function test4(e)
 {
  alert((e.currentTarget.myParam1));
 }


// End hiding the contents -->

And here is the problem. I need to set the displayed value by CF, see the line:

var sValFromCF = <cfoutput>#Variables.sMyCFvalue#</cfoutput>;

However the header Content-Security-Policy (CSP) with "script-src 'self'" blocks the entire JS code in test4.cfm.

So how do I set a JS variable with CSP in place?

Thank you in advance!
Alex

Sign up

To post, reply, or follow discussions, please sign in with your Adobe ID.

Sign in to Adobe Community

To post, reply, or follow discussions, please sign in with your Adobe ID.

Scanning file for viruses.

This file cannot be downloaded