0

Trying redoc-cli (https://github.com/Redocly/redoc/) to generate static documentation. No luck with these errors. It looks like Content-Security-Policy don't allow JS code at all.

Refused to execute inline script because it violates the following Content Security Policy directive: "script-src 'self'". Either the 'unsafe-inline' keyword, a hash ('sha256-g6NjhUYDGd6SXSIYkvuQkZhdbtqx8hqNKVM8JKvqpy4='), or a nonce ('nonce-...') is required to enable inline execution.

<meta
    http-equiv="Content-Security-Policy"
    content="
base-uri;
connect-src *;
default-src * 'unsafe-inline' 'unsafe-eval' data: gap: https://ssl.gstatic.com;
font-src * data:;
form-action;
img-src * data:;
manifest-src *;
media-src;
object-src *;
report-to;
script-src * 'unsafe-inline' 'unsafe-eval';
script-src-attr * 'unsafe-inline' 'unsafe-eval';
script-src-elem * 'unsafe-inline' 'unsafe-eval';
style-src * data: 'unsafe-inline';
style-src-attr * data: 'unsafe-inline';
style-src-elem * data: 'unsafe-inline';
">

Update

Finally fixed.

Server should send these headers:

"Content-Security-Policy" = "script-src blob:" "Content-Security-Policy" = "worker-src blob:"

And HTML should have manifest.json with additional fields:

{
  "content_security_policy": "script-src * 'unsafe-inline' 'unsafe-eval'",
  "csp": "script-src * 'unsafe-inline' 'unsafe-eval'"
}
retro
  • 31
  • 9

1 Answers1

1

As you can see from the error Refused to execute inline script because it violates the following Content Security Policy directive: "script-src 'self'", the lock occurs in the script-src 'self'. But your CSP in meta tag does not have this.

It means you actually have another CSP issued. Usually apps middleware have a default CSP issued via HTTP header, but technically you could have 2 meta-tags CSP too. If there are 2 CSPs, the stricter one applies.

Check the HTML code for 2 <meta http-equiv="Content-Security-Policy" and check in the Developer tools the Content-Security-Policy HTTP header (here is a tutorial).

After fix of above:

  • report-to directive is not supported in meta tag, so you could remove it
  • 'unsafe-eval' token is not supported in the script-src-attr/script-src-elem directives. It is a page's global flag and could be used in script-src/default-src only (see note in para 4.).
  • * and data: is not supported in the style-src-attr directive. It controls the style='...' attribute in the tags, and no any scheme-sources used there.
  • * is not supported in the script-src-attr directive. It controls event handlers like onClick='...' or javascript-navigation like <a href='javascript:...' and no any scheme-sources used there except javascript:.

Full check-list of errors. But you could leave of above in the CSP, browser just ignores those.

granty
  • 7,234
  • 1
  • 14
  • 21