CODEWITHSUNDEEP
javascripthtmlscalaplayframework
zamsler
zamsler

Reputation: 307

Play Framework won't run inline javascript

I am trying to set up a simple application using the play framework 2.6 and scala and I can't seem to run inline javascript off my html templates. I keep getting the error:

Refused to execute inline script because it violates the following Content Security Policy directive: "default-src 'self'". Either the 'unsafe-inline' keyword, a hash ('sha256-DdH/amfJizOgk2xZ+Xst5j13qHxPYrrrfT6x/TzfYiA='), or a nonce ('nonce-...') is required to enable inline execution. Note also that 'script-src' was not explicitly set, so 'default-src' is used as a fallback.

My scala code is:

package controllers
import javax.inject._
import play.api._
import play.api.mvc._
import play.twirl.api.Html
class HomeController @Inject()(cc: ControllerComponents) extends 
AbstractController(cc) {

def index() = Action { implicit request: Request[AnyContent] =>
  Ok(views.html.main("Hello World"))
}
}

And my html.main.html file looks like:

@(title: String)

<!DOCTYPE html>
<html lang="en">
    <head>
        <meta http-equiv="Content-Security-Policy" content="default-src 'self'">
        <title>@title</title>
        <link rel="stylesheet" media="screen" 
href="@routes.Assets.versioned("stylesheets/main.css")">
        <link rel="shortcut icon" type="image/png" 
href="@routes.Assets.versioned("images/favicon.png")">

    </head>
    <body>
        <script type = "text/javascript">
            document.write("Check");
        </script>

        <script src = "@routes.Assets.versioned("javascripts/main.js")" type = 
"text/javascript"></script>
    </body>
</html>

So ideally it should print "Check" on the screen when I connect by the local host. I tried changing my application.conf file to be

play.filters.headers.contentSecurityPolicy = null

But that didn't work either. What else can I try?

Upvotes: 3

Views: 1215

Answers (2)

Andriy Kuba
Andriy Kuba

Reputation: 8263

The

play.filters.headers.contentSecurityPolicy = null

is correct, now remove

<meta http-equiv="Content-Security-Policy" content="default-src 'self'">

and then it must work as you expected

Upvotes: 3

poki2
poki2

Reputation: 71

The best way to avoid this problem would be to use an extra javascript file which contains your code. but i had a similiar problem and solved it by setting a very long policy in my application.conf

play.filters.headers.contentSecurityPolicy = "default-src 'self';script-src 'self' https://my-site.com 'unsafe-inline';style-src 'self' https://my-site.com;font-src 'self' https://my-site.com;img-src 'self' https://my-site.com data:"

my-site.com is the hostname from where my app is served.

Upvotes: 2

Related Questions