I am continually getting below error Content Security P

Hi <a class="user-mention notranslate" data-hovercard-type="user" data-hovercard-url="

I am getting errors like this in mozila console. <a target="_blank"

Content Security Policy: The page’s settings blocked the loading of a resource at inline (“script-src”). about secure-headers HOT 9 CLOSED

bepsvpt commented on May 17, 2024

Content Security Policy: The page’s settings blocked the loading of a resource at inline (“script-src”).

from secure-headers.

Comments (9)

bepsvpt commented on May 17, 2024

Hi @urfusion,

Could you provide which script was blocked by CSP and which browser are you using?

from secure-headers.

urfusion commented on May 17, 2024

Hi @bepsvpt ,

There are multiple errors

<!-- Facebook Pixel Code -->
		<script>
			!function (f, b, e, v, n, t, s)
			{
				if (f.fbq)
					return;
				n = f.fbq = function () {
					n.callMethod ?
							n.callMethod.apply(n, arguments) : n.queue.push(arguments)
				};
				if (!f._fbq)
					f._fbq = n;
				n.push = n;
				n.loaded = !0;
				n.version = '2.0';
				n.queue = [];
				t = b.createElement(e);
				t.async = !0;
				t.src = v;
				s = b.getElementsByTagName(e)[0];
				s.parentNode.insertBefore(t, s)
			}(window, document, 'script',
					'https://connect.facebook.net/en_US/fbevents.js');
			fbq('init', '1585');
			fbq('track', 'PageView');
		</script>

and

              <script>
					function book_clickHandler(event) {
						document.getElementById('action').value = 'book';
						document.getElementById('theForm').submit();
					}
                </script>

and

<script>
    $(window).on('load',function() {
        var vid = document.getElementById("Homevideo");
        vid.pause();
        vid.play();
    });
</script>

All the inline scripts getting this error.

from secure-headers.

bepsvpt commented on May 17, 2024

Could you use browser developer tool to check the actual CSP header that browse received?

from secure-headers.

urfusion commented on May 17, 2024

I am getting errors like this in mozila console.

from secure-headers.

bepsvpt commented on May 17, 2024

Sorry for confusing. Could you provide the CSP header value like the following screenshot?

from secure-headers.

urfusion commented on May 17, 2024

the main url CSP is

default-src; base-uri 'none'; connect-src 'self' https://staging.domain.com:8443/socket.io/ wss://staging.domain.com:8443/socket.io/; font-src 'self' data: https:; form-action 'self'; frame-ancestors 'none'; frame-src 'self' https:; img-src 'self' https://www.facebook.com/tr?id=15252&ev=PageView&noscript=1 data: https:; media-src 'self' https://player.vimeo.com/external/236428774.hd.mp4?s=645fbf379b8ee6c4312e1b3aae5a85fa8cc3ddf0&profile_id=174 https://vod-progressive.akamaized.net/exp=1581614269~acl=%2A%2F841967436.mp4%2A~hmac=5bff94ff9fe1a8b2c86b3de3597db625596924afef0a5e47ec6851a1030e9e30/vimeo-prod-skyfire-std-us/01/2285/9/236428774/841967436.mp4; object-src 'none'; plugin-types application/x-shockwave-flash; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://maps.googleapis.com/maps/api/js?key=AIzaSyB9tsdaqE0M-sjdRS4a2sBTwkbUsMqahnkaIs https://www.google.com/recaptcha/api.js https://cdn-cgi/scripts/5c5dd728/cloudflare-static/email-decode.min.js https://cdnjs.cloudflare.com/ajax/libs/jquery-validate/1.19.0/jquery.validate.js https://maps.googleapis.com/maps-api-v3/api/js/39/10/common.js https://maps.googleapis.com/maps-api-v3/api/js/39/10/util.js https://cdnjs.cloudflare.com/ajax/libs/gsap/1.18.0/TweenMax.min.js https://cdnjs.cloudflare.com/ajax/libs/jquery-validate/1.19.0/additional-methods.js https://cdnjs.cloudflare.com/ajax/libs/ScrollMagic/2.0.5/ScrollMagic.min.js https://cdnjs.cloudflare.com/ajax/libs/ScrollMagic/2.0.5/plugins/animation.gsap.min.js https://cdnjs.cloudflare.com/ajax/libs/ScrollMagic/2.0.5/plugins/debug.addIndicators.min.js https://www.gstatic.com/recaptcha/releases/vJuUWXolyYJx1oqUVmpPuryQ/recaptcha__en.js https://maps.googleapis.com/maps/api/js/AuthenticationService.Authenticate?1shttps%3A%2F%2Fstaging.domain.com%2F&4sAIzaSyB9tqE0M-sjdRS4a2sBTwkbUsMqahnkaIs&callback=_xdc_._wl020o&key=AIzaSyB9tqE0M-sjdRS4a2sBTwkbUsMqahnkaIs&token=85722 https://connect.facebook.net/en_US/fbevents.js 'nonce-b447920613e8f5668d835282ab2ffee4' https:; style-src 'self' 'unsafe-inline' https://fonts.googleapis.com/ https://fonts.googleapis.com/css?family=Biryani:200,300,400,500,600,700 https://cdnjs.cloudflare.com/ajax/libs/bootstrap-datetimepicker/4.15.35/css/bootstrap-datetimepicker.min.css https:; worker-src 'none'; upgrade-insecure-requests

from secure-headers.

bepsvpt commented on May 17, 2024

According to https://csp-evaluator.withgoogle.com

unsafe-inline is ignored if a nonce or a hash is present. (CSP2 and above)

Please set add-generated-nonce to false and try again.

from secure-headers.

urfusion commented on May 17, 2024

Cool. Working now. Thanks.

from secure-headers.

bepsvpt commented on May 17, 2024

Thanks for reporting this issue, I will add related information to document.

from secure-headers.

Content Security Policy: The page’s settings blocked the loading of a resource at inline (“script-src”). about secure-headers HOT 9 CLOSED

Comments (9)

Related Issues (20)

Recommend Projects

React

Vue.js

Typescript

TensorFlow

Django

Laravel

D3

Recommend Topics

javascript

web

server

Machine learning

Visualization

Game

Recommend Org

Facebook

Microsoft

Google

Alibaba

D3

Tencent