Refused to execute inline script because it violates the following Content Security Policy directive: "script-src 'self'".?
Question
I'm trying to use an inline script in my project, and I keep getting this error: 'Refused to execute inline script because it violates the following Content Security Policy directive: "script-src 'self'". Either the 'unsafe-inline' keyword, a hash ('sha256-hyQXPyDjuL7UGCz8hPIbJ2ZzKwE8uqNzvUJB9/9T6jc='), or a nonce ('nonce-...') is required to enable inline execution.'
I've viewed a bunch of other similar questions on here and they all say it has to do with a meta tag and to include something like this: <meta http-equiv="Content-Security-Policy" content="default-src *; style-src 'self' http://* 'unsafe-inline'; script-src 'self' http://* 'unsafe-inline' 'unsafe-eval'" />
but that doesn't make a difference, I've removed all the meta tags from my <head> and I still get the same error. where could this issue possibly be coming from other than the <head> ? ive created my project with the express-generator but i cant find anything CSP in any of my files.
I'm completely lost on what's blocking the inline scripts, if I can provide any code please let me know but seeing as I have no idea what's causing it, i dont know what code to provide
2 answers
solution1
12 ACCPTED 2020-11-17 00:01:51
The CSP directive is not set in meta tag but in HTTP header.
Sice you marked the question with node.js and express tags, here's an example setting the CSP header in express:
const express = require("express");
const app = express();
const port = 8080;
app.get("/", (req, res) => {
res
.set("Content-Security-Policy", "default-src *; style-src 'self' http://* 'unsafe-inline'; script-src 'self' http://* 'unsafe-inline' 'unsafe-eval'")
.send("<html><head></head><body></body></html>");
})
app.listen(port, () => {
console.log("Listening on port %s", port);
});
Then you can see the CSP in the response headers:
curl -v http://localhost:8080
* Rebuilt URL to: http://localhost:8080/
* Trying ::1...
* TCP_NODELAY set
* Connected to localhost (::1) port 8080 (#0)
> GET / HTTP/1.1
> Host: localhost:8080
> User-Agent: curl/7.53.1
> Accept: */*
>
< HTTP/1.1 200 OK
< X-Powered-By: Express
< Content-Security-Policy: default-src *; style-src 'self' http://* 'unsafe-inline'; script-src 'self' http://* 'unsafe-inline' 'unsafe-eval'
< Content-Type: text/html; charset=utf-8
< Content-Length: 39
< ETag: W/"27-ghawzGh2y9RPAcFY59/zgzzszUE"
< Date: Tue, 17 Nov 2020 00:01:04 GMT
< Connection: keep-alive
< Keep-Alive: timeout=5
<
* Connection #0 to host localhost left intact
<html><head></head><body></body></html>
solution2
0 2022-07-09 13:37:07
The problem for me was the cheerio version. From 1.0.0-rc.12 to 1.0.0-rc.5 and worked fine after.
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.