Reputation: 642
CSP and inline scripts getting blocked
Struggling with understanding CSP, getting
Refused to apply inline style because it violates the following Content Security Policy directive: "script-src 'self' https://example;"
Example, my domain is https://example.com, in my policy, I have script-src 'self' https://example; yet inline scripts from https://example/static/js/19.b56ecbe.chunk.js is getting blocked.
I would have thought that 'self' would allow the script to run, what am I getting wrong here?
Upvotes: 3
Views: 5065
Answers (1)
Reputation: 4348
@sideshowbarker already explained why you cannot do that but there's a little variant you can use if you want to allow "inline scripts" on your pages.
Just include nonce in all your script tags as well as in the CSP header itself.
Look here for more details: https://www.troyhunt.com/locking-down-your-website-scripts-with-csp-hashes-nonces-and-report-uri/
Upvotes: 4
Related Questions
- Refused to execute inline script because it violates the following Content Security Policy directive: "script-src 'self'".?
- Content Security Policy self blocking inline
- CSP with nonce under node.js application - Refused to apply inline style/script
- Allow inline scripts CSP with Apache
- CSP Configuration not allowing for proper loading of assets
- Refused to execute inline script for Redocly
- Content Security Policy stops inline script execution, in spite of report-only mode
- CSP: Refused to execute inline script
- Inline script violates Content Security Policy
- Why is inline script forbidden (Content Security Policy)?