Refused to load inline script

Question

I have a local node js server that when I run it on my desktop, website loads correctly. Problem is when I run the server on my laptop I get these errors on opening website.

How can it be that on desktop and on heroku server it's working correctly but not locally on my laptop?

PS: I have never used meta to set CSP or manifest.json or anything like that, as I don't know why it should not work without those settings just like on desktop. I also have a valid SSL certificate created with mkcert just like on my desktop.

Answer 1

As of Chrome 46, inline scripts can be allowed by specifying the base64-encoded hash of the source code in the policy. This hash must be prefixed by the used hash algorithm (sha256, sha384 or sha512).

See this link for more informatio.

If you have a need for some external JavaScript or object resources, you can relax the policy to a limited extent by allowlisting secure origins from which scripts should be accepted.

Your Explorer wants to ensure that executable resources loaded with an extension's elevated permissions are exactly the resources you expect, and haven't been replaced by an active network attacker. As man-in-the-middle attacks are both trivial and undetectable over HTTP, those origins will not be accepted.