Reputation: 285
Content Security Policy stops inline script execution, in spite of report-only mode
I have a CSP in place with 'Content-Security-Policy-Report-Only' mode and report-uri. I have an inline JavaScript running which the CSP prohibits. My understanding was the JavaScript would still be allowed to run while in report-only mode, but will be reported to the report-uri link. It does gets documented in the report-uri link, but it also stops the page from loading with the following error on the Chrome console: "[Report Only] Refused to execute inline script because it violates the following Content Security Policy directive: "script-src 'self'".". Why is the CSP being enforced in 'Report-only' mode? Thanks
Upvotes: 1
Views: 591
Answers (1)
Reputation: 285
This seems to happen when I set the CSP along with the Header 'Header set Set-Cookie: HttpOnly; SameSite=Strict' in Apache 2.2.3. I removed this header and the CSP works in true report only mode.
Upvotes: 1
Related Questions
- Script causes “Refused to execute inline script: Either the 'unsafe-inline' keyword, a hash… or a nonce is required to enable inline execution”
- Refused to execute inline script because it violates the following Content Security Policy directive
- Content Security Policy self blocking inline
- Refused to execute inline script for Redocly
- I keep getting the error "Refused to execute inline event handler because it violates the following Content Security Policy directive
- Avoiding `script-src 'unsafe-inline'` with Content-Security-Policy and JavaScript
- Why does my code violate the Content Security Policy?
- can't execute inline event handler because it violates the Content Security Policy directive
- Why isn't this inline javascript blocked by content security policy?
- Why is inline script forbidden (Content Security Policy)?