Content-Security-Policy will not load samesite javascript

Question

We are loading jquery and our own javscript file after page-load as shown below:

window.addEventListener('mousemove',GetJQuery,false);

function GetJQuery(){
  var element = document.createElement("script");
  element.src = "//ajax.googleapis.com/ajax/libs/jquery/3.5.1/jquery.min.js";
  document.body.appendChild(element);
  $.getScript('https://www.example.com/javascript.js'); //example.com is our site
}

We have this security policy:

Header set Content-Security-Policy "default-src 'self' 'unsafe-inline' 'unsafe-eval';img-src https: data:"

Chrome is giving this error:

Refused to load the script 'javascript.js' because it violates the following Content Security Policy directive: "default-src 'self' 'unsafe-inline' 'unsafe-eval'

To my knowledge, the loading of the script should be in line with the security policy. As such, I am unable to understand the cause of the error.

Any help would be appreciated.

https://stackoverflow.com/questions/31211359/refused-to-load-the-script-because-it-violates-the-following-content-security-po — Kundan Singh Chouhan, Jun 16 '20 at 17:41
I think you also need to add your site domain to it. Like in StackOverflow post I shared - **script-src 'self' http:// example.com 'unsafe-inline' 'unsafe-eval';** — Kundan Singh Chouhan, Jun 16 '20 at 18:00
Cymo, I referred the same post and shared that link. Happy to help you. — Kundan Singh Chouhan, Jun 16 '20 at 18:12

Content-Security-Policy will not load samesite javascript

0 Answers0