Comments (9)
Hi @urfusion,
Could you provide which script was blocked by CSP and which browser are you using?
from secure-headers.
Hi @bepsvpt ,
There are multiple errors
<!-- Facebook Pixel Code -->
<script>
!function (f, b, e, v, n, t, s)
{
if (f.fbq)
return;
n = f.fbq = function () {
n.callMethod ?
n.callMethod.apply(n, arguments) : n.queue.push(arguments)
};
if (!f._fbq)
f._fbq = n;
n.push = n;
n.loaded = !0;
n.version = '2.0';
n.queue = [];
t = b.createElement(e);
t.async = !0;
t.src = v;
s = b.getElementsByTagName(e)[0];
s.parentNode.insertBefore(t, s)
}(window, document, 'script',
'https://connect.facebook.net/en_US/fbevents.js');
fbq('init', '1585');
fbq('track', 'PageView');
</script>
and
<script>
function book_clickHandler(event) {
document.getElementById('action').value = 'book';
document.getElementById('theForm').submit();
}
</script>
and
<script>
$(window).on('load',function() {
var vid = document.getElementById("Homevideo");
vid.pause();
vid.play();
});
</script>
All the inline scripts getting this error.
from secure-headers.
Could you use browser developer tool to check the actual CSP header that browse received?
from secure-headers.
I am getting errors like this in mozila console.
from secure-headers.
Sorry for confusing. Could you provide the CSP header value like the following screenshot?
from secure-headers.
the main url CSP is
default-src; base-uri 'none'; connect-src 'self' https://staging.domain.com:8443/socket.io/ wss://staging.domain.com:8443/socket.io/; font-src 'self' data: https:; form-action 'self'; frame-ancestors 'none'; frame-src 'self' https:; img-src 'self' https://www.facebook.com/tr?id=15252&ev=PageView&noscript=1 data: https:; media-src 'self' https://player.vimeo.com/external/236428774.hd.mp4?s=645fbf379b8ee6c4312e1b3aae5a85fa8cc3ddf0&profile_id=174 https://vod-progressive.akamaized.net/exp=1581614269~acl=%2A%2F841967436.mp4%2A~hmac=5bff94ff9fe1a8b2c86b3de3597db625596924afef0a5e47ec6851a1030e9e30/vimeo-prod-skyfire-std-us/01/2285/9/236428774/841967436.mp4; object-src 'none'; plugin-types application/x-shockwave-flash; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://maps.googleapis.com/maps/api/js?key=AIzaSyB9tsdaqE0M-sjdRS4a2sBTwkbUsMqahnkaIs https://www.google.com/recaptcha/api.js https://cdn-cgi/scripts/5c5dd728/cloudflare-static/email-decode.min.js https://cdnjs.cloudflare.com/ajax/libs/jquery-validate/1.19.0/jquery.validate.js https://maps.googleapis.com/maps-api-v3/api/js/39/10/common.js https://maps.googleapis.com/maps-api-v3/api/js/39/10/util.js https://cdnjs.cloudflare.com/ajax/libs/gsap/1.18.0/TweenMax.min.js https://cdnjs.cloudflare.com/ajax/libs/jquery-validate/1.19.0/additional-methods.js https://cdnjs.cloudflare.com/ajax/libs/ScrollMagic/2.0.5/ScrollMagic.min.js https://cdnjs.cloudflare.com/ajax/libs/ScrollMagic/2.0.5/plugins/animation.gsap.min.js https://cdnjs.cloudflare.com/ajax/libs/ScrollMagic/2.0.5/plugins/debug.addIndicators.min.js https://www.gstatic.com/recaptcha/releases/vJuUWXolyYJx1oqUVmpPuryQ/recaptcha__en.js https://maps.googleapis.com/maps/api/js/AuthenticationService.Authenticate?1shttps%3A%2F%2Fstaging.domain.com%2F&4sAIzaSyB9tqE0M-sjdRS4a2sBTwkbUsMqahnkaIs&callback=_xdc_._wl020o&key=AIzaSyB9tqE0M-sjdRS4a2sBTwkbUsMqahnkaIs&token=85722 https://connect.facebook.net/en_US/fbevents.js 'nonce-b447920613e8f5668d835282ab2ffee4' https:; style-src 'self' 'unsafe-inline' https://fonts.googleapis.com/ https://fonts.googleapis.com/css?family=Biryani:200,300,400,500,600,700 https://cdnjs.cloudflare.com/ajax/libs/bootstrap-datetimepicker/4.15.35/css/bootstrap-datetimepicker.min.css https:; worker-src 'none'; upgrade-insecure-requests
from secure-headers.
According to https://csp-evaluator.withgoogle.com
unsafe-inline is ignored if a nonce or a hash is present. (CSP2 and above)
Please set add-generated-nonce
to false
and try again.
from secure-headers.
Cool. Working now. Thanks.
from secure-headers.
Thanks for reporting this issue, I will add related information to document.
from secure-headers.
Related Issues (20)
- Support for Reporting API and NEL header HOT 2
- X-Powered-By header name
- Rename Feature-Policy header to Permissions-Policy HOT 8
- Incorrect option header name HOT 1
- Error 500 in Laravel HOT 3
- After setup for laravel, Content-Security-Policy header is not generated HOT 6
- X-Powered-By keep showing when I leave it empty in config file HOT 4
- Support SharedArrayBuffer updates in Chrome around May 2021 HOT 1
- undefined index: x-content-type-options HOT 2
- Add CSP Report To HOT 2
- Add route whitelist HOT 1
- Laravel 9 Support HOT 4
- redirected to file's directory while validation Laravel HOT 1
- Unable to set multiple values to the frame-ancestors directive of the content-security-policy header HOT 2
- jquery.min.js HOT 1
- securityheaders.com still show Big red F HOT 6
- Eliminate Laravel dependency for non-Laravel users HOT 2
- Laravel Horizon not loading UI HOT 2
- How can I apply the following in the "Content-Security-Policy" ? HOT 6
- Some value does not appear on the HTTP request HOT 1
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from secure-headers.