Content Security Policy error on login Azure B2C pages

Question

Azure B2C pages throw Content Security Policy error on click Next/Continue buttons on different steps in login/reset-password flows. If I type email (or without email) and click Next button on the first step of login then error is thrown, but if press Enter - no errors.
It looks like the reason of it is that, on the one hand, CSP on those pages doesn't allow using inline code but on the other hand there are some pieces of inline code inserted by Azure B2C. F.e. action="javascript:void(0)" in forms.

Debugging js code shows that there is a line of code that prevents calling this inline action ( action="javascript:void(0)") on pressing Enter and there is no such prevention on click Next button. There are several such places in forms on different steps.

This part of code is generated by Azure B2C. Changing CSP is not possible because it's set on Azure side also. In fact, this error doesn't block login flow but throws a lot of errors on each step

Does anybody have the same issue and suggestions how to avoid it?

Answer 1

Yes, I am facing the same issue, but there is really nothing to do in that case.
The solution is to allow inline scripts and/or convert them to include the correct nonce I think.

At the moment the reports are collected apparently. I am seeing things like [1]. My guess is, that MS would like to enforce CSP. The only practical way is to do quite a bit of monitoring first...

[1]
csp-report: {,…}
blocked-uri: "inline"
disposition: "report"
document-uri: "<redacted>"
effective-directive: "script-src-elem"
line-number: 1
original-policy: "script-src 'strict-dynamic' 'self' 'nonce-5gt3vNyAiXk/dSs6Z4l3Gw==' 'report-sample'; report-uri /<redacted>cspreport?p=B2C_1_Auth"
referrer: "<redacted>
script-sample: "javascript:void(0);"
source-file: "<redacted>/B2C_1_Auth/api/CombinedSigninAndSignup/unified"
status-code: 0
violated-directive: "script-src-elem"