kmnarendra
Reputation: 11
django-csp -- Why I am getting CSP violation error even if nonce is set up?
I am getting error in my browser as
Refused to execute inline script because it violates the following Content Security Policy directive: "script-src-elem 'self' 'self' https://cdn.jsdelivr.net/". Either the 'unsafe-inline' keyword, a hash ('sha256-lcRjLlr3aCdbAn5uZatA01Jri58xjpKG86fd61W4h9Y='), or a nonce ('nonce-...') is required to enable inline execution.
I am using django-csp to set up Content Security Policy. In my settings.py, I have included the following.
MIDDLEWARE = [
# added middleware
'csp.middleware.CSPMiddleware',
...
]
CSP_DEFAULT_SRC = ["'self'", ]
CSP_INCLUDE_NONCE_IN = ['script-src']
I have written the JavaScript as -
<script nonce="{{ request.csp_nonce }}">
do_something()
</script>
Please help me to resolve the issue.
Upvotes: 1
Views: 1874
Answers (1)
Daniel
Reputation: 69
You have only included script-src and not script-src-elem
settings.py will be:
CSP_INCLUDE_NONCE_IN = [
'script-src',
'script-src-elem'
]
Upvotes: 0
Related Questions
- Django - CSRF verification failed
- How to use nonce in CSP
- Django: CSRF verification failed
- Python Django giving me Forbidden (403) CSRF verification failed. Request aborted
- CSP header not detected
- Django admin raises CSRF verification failed
- Why am I getting this Exception Value in Django's csrf.py file?
- Forbidden (403) CSRF verification failed. Request aborted. Django
- CSP nonce ignored by Safari
- CSRF Verification Failed - Django