Reputation: 31
Refused to execute inline script for Redocly
Trying redoc-cli (https://github.com/Redocly/redoc/) to generate static documentation. No luck with these errors. It looks like Content-Security-Policy don't allow JS code at all.
Refused to execute inline script because it violates the following Content Security Policy directive: "script-src 'self'". Either the 'unsafe-inline' keyword, a hash ('sha256-g6NjhUYDGd6SXSIYkvuQkZhdbtqx8hqNKVM8JKvqpy4='), or a nonce ('nonce-...') is required to enable inline execution.
<meta
http-equiv="Content-Security-Policy"
content="
base-uri;
connect-src *;
default-src * 'unsafe-inline' 'unsafe-eval' data: gap: https://ssl.gstatic.com;
font-src * data:;
form-action;
img-src * data:;
manifest-src *;
media-src;
object-src *;
report-to;
script-src * 'unsafe-inline' 'unsafe-eval';
script-src-attr * 'unsafe-inline' 'unsafe-eval';
script-src-elem * 'unsafe-inline' 'unsafe-eval';
style-src * data: 'unsafe-inline';
style-src-attr * data: 'unsafe-inline';
style-src-elem * data: 'unsafe-inline';
">
Update
Finally fixed.
Server should send these headers:
"Content-Security-Policy" = "script-src blob:" "Content-Security-Policy" = "worker-src blob:"
And HTML should have manifest.json with additional fields:
{
"content_security_policy": "script-src * 'unsafe-inline' 'unsafe-eval'",
"csp": "script-src * 'unsafe-inline' 'unsafe-eval'"
}
Upvotes: 0
Views: 728
Answers (1)
Reputation: 8496
As you can see from the error Refused to execute inline script because it violates the following Content Security Policy directive: "script-src 'self'", the lock occurs in the script-src 'self'.
But your CSP in meta tag does not have this.
It means you actually have another CSP issued. Usually apps middleware have a default CSP issued via HTTP header, but technically you could have 2 meta-tags CSP too. If there are 2 CSPs, the stricter one applies.
Check the HTML code for 2 <meta http-equiv="Content-Security-Policy" and check in the Developer tools the Content-Security-Policy HTTP header (here is a tutorial).
After fix of above:
- report-to directive is not supported in meta tag, so you could remove it
'unsafe-eval'token is not supported in the script-src-attr/script-src-elem directives. It is a page's global flag and could be used in script-src/default-src only (see note in para 4.).*anddata:is not supported in the style-src-attr directive. It controls thestyle='...'attribute in the tags, and no any scheme-sources used there.*is not supported in the script-src-attr directive. It controls event handlers likeonClick='...'or javascript-navigation like<a href='javascript:...'and no any scheme-sources used there exceptjavascript:.
Full check-list of errors. But you could leave of above in the CSP, browser just ignores those.
Upvotes: 1
Related Questions
- Script causes “Refused to execute inline script: Either the 'unsafe-inline' keyword, a hash… or a nonce is required to enable inline execution”
- Refused to execute inline script because it violates the following Content Security Policy directive: "script-src 'self'"
- Refused to execute inline script because it violates the following Content Security Policy directive
- Content Security Policy “Refused to execute inline event handler” error
- Content Security Policy self blocking inline
- I keep getting the error "Refused to execute inline event handler because it violates the following Content Security Policy directive
- Refused to load inline script
- CSP: Refused to execute inline script
- Why is inline script forbidden (Content Security Policy)?
- Javascript throwing : Refused to execute inline event handler because it violates the following Content Security Policy directive: "script-src 'self'