8

I use sbt to build a play-scala-seed project, and add a simple: 

<button id="doclick" onclick="doConsole();">click</button>

But when I start the project and click the button. Console gives the error output:

localhost/:17 Refused to execute inline event handler because it violates the following Content Security Policy directive: "default-src *". Either the 'unsafe-inline' keyword, a hash ('sha256-...'), or a nonce ('nonce-...') is required to enable inline execution. Note also that 'script-src' was not explicitly set, so 'default-src' is used as a fallback.

application.conf 

play.http.filters = "filter.Filters"
play.filters.headers.contentSecurityPolicy="script-src 'self' 'unsafe-inline'"

Just follow the offical doc play-securityheaders

Did I miss something or get the wrong path cause still can not call inline script?

WeiChing 林煒清
  • 4,452
  • 3
  • 30
  • 65
jenkin
  • 148
  • 9

1 Answers1

0

I had same problem and found the solution after 2 hours of fiddling with it.

I am using compile-time dependency injection and I changed the application mixin from HttpFiltersComponents to NoHttpFiltersComponents, which solved the problem.

cokeman19
  • 2,405
  • 1
  • 25
  • 40
WeiChing 林煒清
  • 4,452
  • 3
  • 30
  • 65
  • Keep in mind that this disables all security headers. You can disable the CSP header in particular by adding `play.filters.headers.contentSecurityPolicy = null` to `application.conf`. But that's also a bad idea. – ss1 Mar 22 '18 at 10:46