Questions tagged [script-src]

Refers to the HTTP Content Security Policy directive which specifies valid JavaScript sources for HTML

For details related to the script-src Content Security Policy directive:

If your question pertains to CSPs in general, please use the content-security-policy tag.

For general Content Security Policy resources, review the 'Content Security Policy' tag info page.

14 questions

votes

2 answers

Why does CSP script-src unsafe-inline induce styling issues on my Angular webapp?

The issue: When I try to remove unsafe-inline source for script-src CSP my Angular webapp does not work anymore. What is the root cause of this issue ? When using SCSS in Angular@12+, Angular add a property onload on the index.html

angular styles content-security-policy unsafe-inline script-src

asked Feb 24 '22 at 10:13

Quentin Dunand

vote

0 answers

Amcharts 5 trying to change src tag to load different data set for stock chart

I've broken down 10+ years of 15-minute candlestick data into single years in order for it to load more quickly. I am relatively new to coding and am modifying one of amcharts terrific demos to see if I can get it to work and I'm running into a…

amcharts stock candlestick-chart script-src

asked Mar 14 '23 at 01:55

Ranger

vote

0 answers

Struts2-core-6.1.1 with Content-Security-Policy HTTP header

I'm migrating a struts2-core-2.5.30 project to struts2-core-6.1.1, however I was getting the following error: Refused to execute inline event handler because it violates the following Content Security Policy directive: "script-src…

unsafe-inline script-src

asked Jan 20 '23 at 00:43

Cemail Sn

vote

0 answers

How do I prevent jQuery (in a local file) from violating my script-src CSP directive?

A client wants us to add a script-src security policy to our software so that it satisfies their security standards. I have managed to create a relatively secure policy that still allows our code to run... EXCEPT I am getting a console error in my…

c# jquery content-security-policy script-src

asked Jan 17 '23 at 23:24

ysi_d

vote

1 answer

How do I fix an error 403 when loading Fathom Analytics’ script.js with CSP in place?

I have a strict CSP (Content-Security-Policy) in place, allowing the Fathom Analytics script.js to be loaded from a custom domain. In the .htaccess on Apache: script-src 'self' 'nonce-%{UNIQUE_ID}e' my-custom-domain.example.com; Application…

apache script-src

asked May 31 '22 at 09:09

Nils Mielke

votes

0 answers

Chrome Extension - Force-inject inline script with Manifest V3

In a manifest V2 extension content script, the following worked fine: var script = document.createElement('script'); script.textContent = 'console.log("hello")'; document.head.appendChild(script); document.head.removeChild(script); In manifest V3,…

google-chrome-extension content-security-policy chrome-extension-manifest-v3 script-tag script-src

asked Aug 18 '23 at 17:49

Codesmith

5,779
5
38
50

votes

2 answers

Refused to load the script : Content-Security-Policy

Refused to load the script 'https://cdnjs.cloudflare.com/ajax/libs/axios/0.18.0/axios.min.js' because it violates the following Content Security Policy directive: "script-src 'self'". Note that 'script-src-elem' was not explicitly set, so…

javascript axios content-security-policy script-src

asked Mar 27 '23 at 17:24

Tarun U M

votes

1 answer

Does specifying a file in a CSP directive prevent other files from that domain being loaded?

If I have the following script-src directive: script-src: https://example.com/scripts/file.js; Is it possible for any of the following scripts to be…

content-security-policy script-src

asked Jan 24 '23 at 10:08

jhancock532

votes

0 answers

Content Security Policy script-src violated for inline event handlers in dhtmlx suite 4.2

I'm working on an app which is using dhtmlxSuite 4.2 and I was working on refactoring our code base in order to support Content Security Policy. For now, we are removing the 'unsafe-inline' and we are using a nonce to secure inline scripts. Could…

content-security-policy dhtmlx nonce unsafe-inline script-src

asked Dec 23 '22 at 15:23

vVv

votes

1 answer

Refused to load the script because it violates the following Content-Security-Policy

I didn't used google tag manager url in my code but it still shows the ERROR and HERE is the Error. ERROR Refused to load the script 'https://consent.trustarc.com/v2/notice/jznryc' because it violates the following Content Security Policy directive:…

html google-tag-manager content-security-policy trusted-web-activity script-src

asked Nov 21 '22 at 11:03

Balaji Reddy

votes

0 answers

How to change to a different url in a XML file on click?

I'm creating a website that has a two buttons as an icon. one button will have the user go to any random url in my XML file. My XML file has hundreds of urls in it that looks like…

xml xml-parsing xmlhttprequest src script-src

asked Nov 14 '22 at 05:49

Pasquale Rossi

votes

1 answer

CSP settings for separate js file

Does script-src parameter using hashes works for inline scripts only? This config works for for me (inline script in HTML code): Apache config: Header set Content-Security-Policy-Report-Only: "script-src …

apache content-security-policy script-src

asked Aug 16 '22 at 16:10

jack

votes

1 answer

APIDoc with NodeJS: EvalError while serving documentation page

I'm using APIDoc to generate API documentation of my NodeJS app. I'm facing problem while serving generated index.html page: Uncaught EvalError: Refused to evaluate a string as JavaScript because 'unsafe-eval' is not an allowed source of script in…

html content-security-policy api-doc unsafe-eval script-src

asked Mar 23 '22 at 07:54

Qamar Zaman

votes

1 answer

Is there anyway to configure content security policy to allow any third party scripts but disallow inline/eval

Is there anyway to configure content security policy to allow any third party scripts but disallow inline/eval? I have some third party marketing/analytics scripts that has to be added and removed regularly. I would like to secure the page vs inline…

content-security-policy script-src

asked Feb 13 '22 at 14:52

Harry

52,711
71
177
261