Content-Security-Policy errors in Firefox and Chrome

Question

In my code, I have set below :

response.setHeader("Content-Security-Policy", "default-src 'self'");

This works fine in Internet Explore.

In Chrome, I get the following error:

Refused to execute inline script because it violates the following Content Security Policy directive: "default-src 'self'". Either the 'unsafe-inline' keyword, a hash ('sha256-3o30MP9eULqjOPAYfNq0dz2I/NLmIV2JYJR7D96q+wM='), or a nonce ('nonce-...') is required to enable inline execution. Note also that 'script-src' was not explicitly set, so 'default-src' is used as a fallback.**

In Firefox, I get the following error:

Content Security Policy: The page’s settings blocked the loading of a resource at inline (“default-src”)

I have tried adding unsafe-inline keyword, which works in Chrome but does not work in Firefox.

Answer 1

When you have this:

default-src 'self'

That means you only allow scripts from your domain. For example:

<script src='/js/example.js'></script>

Or

<script src='https://www.example.com/js/example.js'></script>

If you try to use inline script like this:

<script>
Some JavaScript
</script>

Then the Content Security Policy will block it.

You can change it to this to allow inline scripts like this:

default-src 'self' 'unsafe-inline'

This works in both Chrome and Firefox so you’ll need to give more details as to what you tried and what error you got in Firefox to investigate that further.

Note that this negates a lot of the benefits of using Content Security Policy - hence the unsafe in the name - as anyone who manages to put JavaScript on your page (the main thing CSP was designed to protect against) will still be able to add themselves. Ideally you would move all inline scripts to .js files and reference them that way as it’s much harder to add a file to a domain you don’t control than a script to a page you don’t control. If this is not possible then there are more advanced methods like nonces and hashes as the error message alludes to.