3

I have observed the following error on Chrome Dev Console even if using Incognito Window:

Refused to load the script 'https://localhost:5001/_framework/aspnetcore-browser-refresh.js' because it violates the following Content Security Policy directive: "script-src 'sha256-ZT3q7lL9GXNGhPTB1Vvrvds2xw/kOV0zoeok2tiV23I='". Note that 'script-src-elem' was not explicitly set, so 'script-src' is used as a fallback.

I have a look at the causes and commonly browser extensions are reported, but in Incognito Window, there is not any extension, etc. So, any fix related to the problem?

  • The **Content Security Policy** in different versions of chrome is different. After upgrading chrome, check if it will occur to this problem. – Karney. Jan 27 '21 at 03:19
  • Yes, I checked but Chrome already updated and re-test again still the problem occurs. Very strange to see that even on Incognito :( –  Jan 27 '21 at 08:42
  • @Karney. Any other idea to fix it? –  Jan 27 '21 at 08:42

1 Answers1

0

Try to change the security policy, for example:

<meta http-equiv="Content-Security-Policy" content="default-src *; style-src 'self' https://localhost:5001 'unsafe-inline'; script-src 'self' http://* 'unsafe-inline' 'unsafe-eval'" />

Or only

<meta http-equiv="Content-Security-Policy" content="script-src 'self' https://localhost:5001 'unsafe-inline' 'unsafe-eval'" />

Chrome has the CSP (Content Security Policy).

  • You can't use inline scripting in your Chrome App pages. The restriction bans both blocks and event handlers ().
  • You can't reference any external resources in any of your app files (except for video and audio resources). You can't embed external resources in an iframe.
  • You can't use string-to-JavaScript methods like eval() and new Function().

Here is the policy value:

default-src 'self';
connect-src * data: blob: filesystem:;
style-src 'self' data: 'unsafe-inline';
img-src 'self' data:;
frame-src 'self' data:;
font-src 'self' data:;
media-src * data: blob: filesystem:;

More infomation

Karney.
  • 4,803
  • 2
  • 7
  • 11
  • Many thanks. Is it related to adding script reference to angular.json, index.html in Angular app? Or giving reference on .NET Core razor page? –  Jan 27 '21 at 09:51
  • It should be changed it in angular index.html. – Karney. Jan 27 '21 at 12:09
  • Any detailed example for the solution please? –  Jan 27 '21 at 12:26
  • @Lorenzo, [link](https://stackoverflow.com/questions/31211359/refused-to-load-the-script-because-it-violates-the-following-content-security-po), refer to the marked answer. – Karney. Jan 27 '21 at 12:28
  • the anwser on the link explain almost nothing. –  Jan 27 '21 at 12:40
  • @Lorenzo, Rocío García Luque's answer more comprehensive. – Karney. Jan 27 '21 at 12:47
  • I tried both of them your answer and the others on index.html by replacing the necessary part, but not worked. –  Jan 27 '21 at 13:21
  • @Lorenzo, Try to change `https://localhost` instead of `http://*`. – Karney. Jan 28 '21 at 05:43
  • Both `https://localhost` and `http://*` [allows standard ports](https://csplite.com/csp4/#host_name_standart_port) only, while is used nonstandard `:5001` port. Only `https://localhost:5001` or `https:` in the `script-src` can fix the issue. – granty Jan 28 '21 at 07:42
  • @Lorenzo, you can change it to this type. – Karney. Jan 28 '21 at 08:08