Skip to main content
C
cadol_CF
Participating Frequently
January 29, 2026
Answered

Content-Security-Policy header blocks setting javascript variable with coldfusion

  • January 29, 2026
  • 2 replies
  • 124 views

Hello everybody!

I am working on removing all my inline JS codes. As an exapmle I've created a simple coldfusion (CF) template with a button. 

In a separate javascript file I define the function which is called when the button is pressed. 
This function is to have an argument through which I pass a value to be displayed. 

test4.cfm:
 

<cfscript>
 Variables.sTest = "ha-ha-ha";
</cfscript>


<!DOCTYPE html>
<html>
  <head>

    <meta http-equiv="Content-Security-Policy" content="script-src 'self'">

    <script>
     var sValFromCF = "<cfoutput>#Variables.sTest#</cfoutput>";
    </script>

    <script src="JS_test4.js" defer> </script>

  </head>


  <body>

    <INPUT TYPE="button" name="sBtn4" id="sBtn4" value="Click me4">

  </body>

</html>

JS_test4.js:
 

<!-- Begin hiding contents from older browsers

document.addEventListener
 ('DOMContentLoaded', () => 
  {
   document.getElementById("sBtn4").addEventListener("click", test4);
   document.getElementById("sBtn4").myParam1 = sValFromCF;
  }
 );


function test4(e)
 {
  alert((e.currentTarget.myParam1));
 }


// End hiding the contents -->

And here is the problem. I need to set the displayed value by CF, see the line:
 

var sValFromCF = "<cfoutput>#Variables.sMyCFvalue#</cfoutput>";

However the header Content-Security-Policy (CSP) with "script-src 'self'" blocks the entire JS code in test4.cfm.

So how do I set a JS variable with CSP in place?

Thank you in advance!
Alex

    Correct answer Charlie Arehart

    Cadol/Alex, you haven't said what cf version you're using. If it's cf2025, there is in fact a new set of features that can help specifically with this. See the section of the what's new in cf2025 document, "Support for Content-Security-Policy (CSP) in ColdFusion tags". It covers choices at the code, app, and cf admin level. But perhaps you're not yet on cf2025. Or you may have further questions that are not addressed there. 

     

    it's worth noting that on the surface this is otherwise not really a question specific to cf. What you experienced could happen with just an htm file (that hard-coded that value).

     

    As such there are solutions that are:

    • about changing the js (which could be tedious across many templates facing this sort of problem)
    • or about configuration of headers in the page (which cf can help with CF header, or that can be configured in your web server)
    • or about leveraging a "nonce" feature for csp, which is what cf facilitates with the new feature in cf2025 but can be done other ways 
    • And there maybe still more options 

     

    I realize you may be looking simply for "how do I get this code to run", and someone may offer a single option that works for you (or if the 2025 feature doesn't suit you). But I'm trying to suggest that this may be bigger than adding a tweak to this one file. That's why I've laid out these options.

     

    And this problem may be new for you simply because your cf app was moved to a new server, perhaps with a new OS, and/or new web server, and/or a new cf version. Or someone may have tightened security on any of those. And you yourself may or may not have the option to reconsider the choices made--or it can help to understand "what changed".  I'm just trying to help you think beyond this one broken page, as perhaps you may well already be wondering. 

     

    And rather than elaborate further, I'd point out that this is the kind of question that if you asked an Ai engine you'd get lots of clarification and references to more including even about the new cf2025 feature.

     

    In fact, to prove the point I did just that, and the answers affirmed what I anticipated above. I even asked a couple of leading followups to tease out the points I made. (I realize others might not have thought to ask those.) 

     

    Anyway, rather than repeat all the options and details here, and rather than simply dump the several paragraphs in reply to your question and my 2 follow-ups, here is a public link to the conversation.

     

    I offer it also to show that even just your verbatim question above can be asked of an Ai, including free ones (I used perplexity free for this one, but could have used others). Of course sometimes the AIs do hallucinate. One must always test to confirm a suggested solution, or beware sharing their answer as "the correct one". :-) 

     

    Let us know if any of that gets you going. 

    2 replies

    BKBK
    Community Expert
    BKBKCommunity Expert
    Community Expert
    February 2, 2026

    Hi ​@cadol_CF ,
    Apply a secure “nonce” to the Content-Security-Policy, and it will work.

    Here is a suggestion for your code:

    test4.cfm
     

    <cfscript>
     variables.sTest = "ha-ha-ha";
    </cfscript>

    <!DOCTYPE html>
    <html>
      <head>
          
          <!--- 
          Generate a highly secure key and use it as a Nonce. 
          The nonce value is cryptographically random and unique per page request.
          --->
          <cfset nonce = toBase64(generateSecretKey("AES"))>
       <cfoutput> <meta http-equiv="Content-Security-Policy" content="script-src 'self' 'nonce-#nonce#';"></cfoutput>
     
         <!--- Ensure that the script block has that exact nonce. Otherwise, it might not execute. --->  
        <cfoutput>
         <script nonce="#nonce#">  
            var sValFromCF = '#variables.sTest#'; 
         </script>
         </cfoutput>

        <script src="JS_test4.js" defer></script>
        
      </head>
      <body>
        <button name="sBtn4" id="sBtn4">Click me4</button>
      </body>
    </html>


    JS_test4.js
     

    <!-- Begin hiding contents from older browsers-->

    document.addEventListener('DOMContentLoaded', () => {
        const btn = document.getElementById("sBtn4");

        if (!btn) {
            console.error("sBtn4 not found");
            return;
        }

        btn.addEventListener("click", () => {
            test4(sValFromCF);
        });
    });

    function test4(arg) {
        alert(arg);
    }

    // End hiding the contents

     

      C
      cadol_CFAuthor
      Participating Frequently
      February 3, 2026

      Hi BKBK,

      Works perfectly! 
      At the moment I am trying to remove all inline js-codes, so I am using the way Charlie Arehart suggested (passing values via hidden fields), however I see that with the nonce feature I can leave some codes in place which gives me more flexibility.

      Thank you very much for your input!
      Alex

      Charlie Arehart
      Community Expert
      Charlie ArehartCommunity Expert
      Community Expert
      February 3, 2026

      @Charlie Arehart Just to clarify, I didn't suggest the hidden field approach. :-) That was one of the options offered in the AI elaboration I linked to.

       

      More to the point, I too had specifically suggested using a nonce, pointing out first that it was offered as a feature in cf2025 then leaving the AI discussion which showed  specific cfml code to create such a csp nonce that would work on any version. 

       

      And even that was one of a couple other suggestions I'd offered: I tried to anticipate how different situations called for different solutions. :-) But good for you if BKBK's offering code here stood out better for you. 

      /Charlie (troubleshooter, carehart. org)
      Charlie Arehart
      Community Expert
      Charlie ArehartCommunity ExpertCorrect answer
      Community Expert
      January 29, 2026

      Cadol/Alex, you haven't said what cf version you're using. If it's cf2025, there is in fact a new set of features that can help specifically with this. See the section of the what's new in cf2025 document, "Support for Content-Security-Policy (CSP) in ColdFusion tags". It covers choices at the code, app, and cf admin level. But perhaps you're not yet on cf2025. Or you may have further questions that are not addressed there. 

       

      it's worth noting that on the surface this is otherwise not really a question specific to cf. What you experienced could happen with just an htm file (that hard-coded that value).

       

      As such there are solutions that are:

      • about changing the js (which could be tedious across many templates facing this sort of problem)
      • or about configuration of headers in the page (which cf can help with CF header, or that can be configured in your web server)
      • or about leveraging a "nonce" feature for csp, which is what cf facilitates with the new feature in cf2025 but can be done other ways 
      • And there maybe still more options 

       

      I realize you may be looking simply for "how do I get this code to run", and someone may offer a single option that works for you (or if the 2025 feature doesn't suit you). But I'm trying to suggest that this may be bigger than adding a tweak to this one file. That's why I've laid out these options.

       

      And this problem may be new for you simply because your cf app was moved to a new server, perhaps with a new OS, and/or new web server, and/or a new cf version. Or someone may have tightened security on any of those. And you yourself may or may not have the option to reconsider the choices made--or it can help to understand "what changed".  I'm just trying to help you think beyond this one broken page, as perhaps you may well already be wondering. 

       

      And rather than elaborate further, I'd point out that this is the kind of question that if you asked an Ai engine you'd get lots of clarification and references to more including even about the new cf2025 feature.

       

      In fact, to prove the point I did just that, and the answers affirmed what I anticipated above. I even asked a couple of leading followups to tease out the points I made. (I realize others might not have thought to ask those.) 

       

      Anyway, rather than repeat all the options and details here, and rather than simply dump the several paragraphs in reply to your question and my 2 follow-ups, here is a public link to the conversation.

       

      I offer it also to show that even just your verbatim question above can be asked of an Ai, including free ones (I used perplexity free for this one, but could have used others). Of course sometimes the AIs do hallucinate. One must always test to confirm a suggested solution, or beware sharing their answer as "the correct one". :-) 

       

      Let us know if any of that gets you going. 

      /Charlie (troubleshooter, carehart. org)
        C
        cadol_CFAuthor
        Participating Frequently
        January 29, 2026

        Hi Charlie,

        You are right, our production server runs CF2023, not 2025. The solutions you’ve found with the help of AI are exactly what I need. Both data-param1=… and setting a hidden input work just fine.
         

        Thank you for your help and a good advice!

        Alex

        Charlie Arehart
        Community Expert
        Charlie ArehartCommunity Expert
        Community Expert
        January 29, 2026

        Wonderful to hear.

         

        To be clear, I didn't "find them with the help of Ai". I knew they were the options. :-)

         

        I was asking AI to show how anyone could do just that, and how even the initial answer to your verbatim first question could provide sufficient insight. I pressed it for more which shows how even Ai can give up more if pressed.  Often that's half the battle, knowing what more to press. 

         

        So I offered all that (and this) for you and for future readers. :-) 

        /Charlie (troubleshooter, carehart. org)
        Terms & ConditionsAccessibility statement
        Using the community Terms of use Privacy Cookie preferences Do not sell or share my personal information ad choicesAdChoices