3

I wanted to experiment with Javascript and created a file that I opened in Firefox (68.0.1) file:///C:/play/my.html. The file is on JSFiddle at https://jsfiddle.net/PatS2265/7r4j6ewa/ (but the code works in JSFiddle).

In Firefox when I opened this file I got the following error in the console:

Content Security Policy: The page’s settings blocked the loading of a resource at inline (“script-src”).

I looked up how to fix this and tried adding:

<meta http-equiv="Content-Security-Policy" content="default-src *; style-src 'self' 'unsafe-inline'; script-src 'self' 'unsafe-inline' 'unsafe-eval' http://www.google.com">

but this didn't fix it. The file is shown below (with my failed attempt at adding the Content-Security-Policy meta tag.

What is the correct syntax for the Content-Security-Policy?

NOTE: In Chrome (v76.0.3809.100), this file just worked so that my work around for now.

<!DOCTYPE html>
<html>
<head>
    <title>My Async Test</title>
    <meta http-equiv="Content-Security-Policy" content="default-src *; style-src 'self' 'unsafe-inline'; script-src 'self' 'unsafe-inline' 'unsafe-eval' http://www.google.com">
    <meta charset="UTF-8" />
</head>
<body>
<script>
function clickMe() {
  f().then(alert);
}
async function f() {
  return 1;
}
</script>
  Just testing
  <button type="button" onclick="clickMe()">Run Async Function</button>
</body>

</html>

Searches

I did a search for how to fix this and came across a solution to disable the Content-Security-Policy.

  • Disabling Content Security in Firefox. This worked for me but is pretty heavy handed, so I'd like to know how to do it in my file.

Other results that were helpful were:

I just found tag in StackOverflow for content-security-policy so I'll start that search now.

PatS
  • 8,833
  • 12
  • 57
  • 100
  • 3
    Just run a local server – epascarello Aug 09 '19 at 17:40
  • 1
    That's not an option. I can't install any software on work machine and it doesn't have python or node, or other development apps that I would typically use on my development box. I typically use https://codesandbox.io but ran into a problem which I've since fixed. See https://df35m.csb.app/. I was curious why this didn't just work in Firefox! – PatS Aug 09 '19 at 17:50
  • You can't run node or python? – epascarello Aug 09 '19 at 17:50
  • @epascarello, I updated my previous comment to address this suggestion. – PatS Aug 09 '19 at 17:53
  • Interesting, when I view my solution in CodeSandBox.io, I also see errors like `Content Security Policy: The page’s settings blocked the loading of a resource at https://codesandbox.io/static/js/sandbox.9b5dc6d7.js (“script-src”).`, but the script does still work, whereas when I load the file locally it does not work. – PatS Aug 09 '19 at 17:57
  • 2
    Works fine in my Firefox, do you have any add-ons by chance? Did you try in a clean profile? – Nickolay Aug 11 '19 at 07:16

1 Answers1

5

Well I feel a little bit embarrassed that I didn't get this sooner. I have to credit @Nickolay for commenting that he did not see this problem and asked if it could be an AddOn, or if I had tried this in a new profile, so I checked both.

I created a clean profile using about:profiles and clicking on Create a New Profile, and when I ran in that profile it worked!

Next I realized that I had the Add-On NoScript enabled which was preventing Javascript from running on the on the local files (file:///C:/)!

After I enabled local files in NoScript the problem went away.
Doh (hand hitting forehead).

PatS
  • 8,833
  • 12
  • 57
  • 100