Reputation: 5142
Helmet Rejects Localhost Even Though it is Included in Script-Src?
I'm running my node.js web app at:
http://localhost:3000/
I'm getting this error from Helmet:
Refused to execute inline script because it violates the following Content Security Policy directive: "script-src 'unsafe-eval' 'unsafe-inline' 'sha256-DFWWwGm2cBwXA13nbn4jDkHCl2Oc/0Z2tKvKkN4NWj4=' http://localhost:3000/ http://localhost:4000/ [.....]". Note that 'unsafe-inline' is ignored if either a hash or nonce value is present in the source list.
http://localhost:3000/ is listed in the script-src directive. Why am I getting this error?
Upvotes: 0
Views: 184
Answers (1)
Reputation: 12737
From the error message, it looks like you're trying to execute an inline script, which isn't allowed by your CSP.
You've included "unsafe-inline" which would normally allow it, but the SHA causes that to be ignored; see the last sentence in the error message.
Upvotes: 1
Related Questions
- Helmet unable to override Content-Security-Policy: The page’s settings blocked an inline script (script-src-elem) error
- React Helmet: Hash Not Accepted?
- Getting error after adding nonce instead of unsafe-inline'
- Strapi Unsupported protocol issue
- Why is my nonce being ignored in node.js?
- HelmetJS Content Security Policy refusing to apply inline style even with a nonce
- Helmet causing MERN app hosted on heroku cause ERROR: Refused to execute inline script because it violates the following
- Cordova error: Refused to execute inline script because it violates the following Content Security Policy directive