0

Hello im struggling already a few days on this.

I have a aspx-Website and everything worked on my pc. Then after deploying it on a Server i get following errors:

Refused to execute inline script because it violates the following Content Security Policy directive: "script-src 'self'". Either the 'unsafe-inline' keyword, a hash ('sha256-ET0SWzTymVfQ+qjfGmR3CUWjxDefnjlCs53WMtvYTeU='), or a nonce ('nonce-...') is required to enable inline execution

My C#-Code have some onclick-methods and they transform to JavaScript and become a inline-function.

From:

<asp:CheckBox ID="CheckBox_MO_RS" runat="server" AutoPostBack="True" OnCheckedChanged="CheckBox_RIGHTS_CheckedChanged" Text="MO RS" />

To

<input id="CheckBox_MO_RS" type="checkbox" name="CheckBox_MO_RS" onclick="javascript:setTimeout('__doPostBack(\'CheckBox_MO_RS\',\'\')', 0)">

and those JS-Function doesnt work on the Server because of the violation of the CSP, i think.

What did i try?

  • Tried to add CSP to Web.config.
    • Didnt load at all on Server.
  • Added meta tag to Header
    • Sommething like this:
  • <meta http-equiv="Content-Security-Policy" content="script-src 'unsafe-inline'; script-src-elem 'unsafe-inline'"/>
  • But then debuggers still returns the Error Message: Refused to execute inline script because it violates the following Content Security Policy directive: "script-src 'self'"

I didnt write the directive script-src 'self'. ErrorMessageDebugger Does anyone have any idea?

juliomalves
  • 42,130
  • 20
  • 150
  • 146
ezepter
  • 1
  • 2

2 Answers2

0

Your production server must be adding a CSP. As all content need to pass all policies, it won't help to add another policy.

But as adding 'unsafe-inline' decreases security, you should rather rewrite all your inline events to proper event handling in a js file hosted on the same server as this will make it pass the existing CSP. See also Refused to execute inline event handler because it violates CSP. (SANDBOX)

Halvor Sakshaug
  • 2,583
  • 1
  • 6
  • 9
0

It appears turning AutoPostback on generates inline Javascript on the final HTML. Turning that off will eliminate that particular error but of course, the page won't work as you desire it to though you may add another control such as a button to generate postback. You can try using the hash that the browser suggested above ('sha256-ET0SWzTymVfQ+qjfGmR3CUWjxDefnjlCs53WMtvYTeU='), but with some controls, multiple hashes may be required.

Chiqui Abello
  • 1