Refused to execute inline script because it violates the following Content Security Policy directive

Question

Suddenly, this morning users reported that JS does not wokr in Chrome anymore for our website, with multiple exceptions like

Refused to execute inline script because it violates the following Content Security Policy directive: "script-src 'self'". Either the 'unsafe-inline' keyword, a hash ('sha256-ZJh1uUuWvO0I....uclbveH9owCmb/18HI3OU='), or a nonce ('nonce-...') is required to enable inline execution.

and

because it violates the following Content Security Policy directive: "script-src 'self'".

Seems like Chrome gets updated.... The current version installed on my machine

Version 61.0.3163.100 (Official Build) (64-bit)

We don't set security policy explicitly so I don't get where it is coming from. Firefox and IE work. Does anyone have the same problems? Any help appreciated.

Answer 1

In my case this is happen due to chrome extensions, chrome extensions trying to execute some operation in website and website blocking it. Issue is with BlazeMeter chrome extension.

So just remove chrome extensions and then try again. Or Check with another browser.

Answer 2

Given the new information, the only solution is to ensure your scripts are on the same host as the page which loads them

Answer 3

A bit rough on my side to blame Chrome for the issue. it turns out that the network team enforced security policy rules by adding headers to the response, and as result all JS now blocked. The headers they added are: