Refused to execute inline script because it violates the following Content Security Policy directive
Question
Suddenly, this morning users reported that JS does not wokr in Chrome anymore for our website, with multiple exceptions like
Refused to execute inline script because it violates the following Content Security Policy directive: "script-src 'self'". Either the 'unsafe-inline' keyword, a hash ('sha256-ZJh1uUuWvO0I....uclbveH9owCmb/18HI3OU='), or a nonce ('nonce-...') is required to enable inline execution.
and
because it violates the following Content Security Policy directive: "script-src 'self'".
Seems like Chrome gets updated.... The current version installed on my machine
Version 61.0.3163.100 (Official Build) (64-bit)
We don't set security policy explicitly so I don't get where it is coming from. Firefox and IE work. Does anyone have the same problems? Any help appreciated.
2 answers
solution1
1 2017-10-15 22:02:12
A bit rough on my side to blame Chrome for the issue. it turns out that the network team enforced security policy rules by adding headers to the response, and as result all JS now blocked. The headers they added are:
solution2
0 2017-10-15 22:08:18
鉴于新信息,唯一的解决方案是确保您的脚本与加载它们的页面位于同一主机上
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.