Stack Overflow
Stack Overflow

Questions tagged [unsafe-inline]

20 questions
7
votes
3 answers

Content Security Policy blocks Angular Styles

I want to publish a web application with a strict Content Security Policy. The last remaining issue is: style-src 'self'; I get an error in the browser console saying that a resource was blocked from loading based on the style-src directive in the…
superlazy
  • 697
  • 1
  • 8
  • 15
3
votes
2 answers

Why does CSP script-src unsafe-inline induce styling issues on my Angular webapp?

The issue: When I try to remove unsafe-inline source for script-src CSP my Angular webapp does not work anymore. What is the root cause of this issue ? When using SCSS in Angular@12+, Angular add a property onload on the index.html
Quentin Dunand
  • 233
  • 2
  • 11
1
vote
0 answers

Struts2-core-6.1.1 with Content-Security-Policy HTTP header

I'm migrating a struts2-core-2.5.30 project to struts2-core-6.1.1, however I was getting the following error: Refused to execute inline event handler because it violates the following Content Security Policy directive: "script-src…
Cemail Sn
  • 25
  • 4
1
vote
1 answer

Electron - LightningChart - Drag and Drop Chart - Unsafe Inline Issues?

I am new to JS/Electron. I'm trying to create an Electron App, my Electron App has several charts, I am using LightningChart JS for my charting. The LightningChart API asks my to target a div, then it apparently inserts a canvas into the div upon…
Kenneth Miller
  • 133
  • 6
1
vote
1 answer

Can we use 'self' with 'unsafe-Inline' instead of nonce for content security policy?

We are getting security issue due to unsafe-inline in header and as per security team we should use nonce but that one is difficult to use with inline event handler method so we are looking for the option to use 'self' instead of nonce
unknown_11
  • 73
  • 6
1
vote
1 answer

How to add 'unsafe-inline' keyword to run inline javascript?

I'm learning javascript and trying to run some inline javascript code. I'm using the electron quick start guide and the code works fine before I try to add some inline javascript. Here's my index.html:
FluffyBike
  • 825
  • 1
  • 4
  • 17
1
vote
2 answers

How can fix "it violates the following Content Security Policy directive: "default-src 'self'" when I use datalist?

When I use datalist with the Content-Security-Policy" content="default-src 'self'", it gives error, "Refused to apply inline style because it violates the following Content Security Policy directive: "default-src 'self'". Either the 'unsafe-inline'…
tayu
  • 33
  • 1
  • 1
  • 5
1
vote
3 answers

Error no angular: "Refused to execute inline script because it violates the following Content Security Policy directive: "script-src 'self'"

My project in Angular 6.2.8, was going very well. However, this error started to appear on the console: Refused to execute inline script because it violates the following Content Security Policy directive: "script-src 'self'". Either the…
Jefferson Cardoso
  • 19
  • 1
  • 3
1
vote
0 answers

An API we are using requires 'unsafe-eval' 'unsafe-inline', can we restrict script origin with CSP without further compromising security?

We have a hard dependency on an javascript API that requires 'unsafe-inline' 'unsafe-eval' if used in a CSP. If we add a CSP header with the values below can we improve our security posture by limiting whitelisting the origins of where the scripts…
CLJ
  • 1,907
  • 5
  • 22
  • 36
0
votes
1 answer

Why is OWASP Zap warning about CSP script-src 'unsafe-inline' when that is not present?

I used OWASP Zap to scan one of our web servers and a warning that puzzles me is script-src unsafe-inline. The report says the…
Kpt Stofil
  • 3
  • 2
0
votes
0 answers

Content security policy - Angular js application (Style-src, script-src - without 'unsafe-eval', 'unsafe-inline')

if someone can help me whether we can add Content security policy style-src, script-src without 'unsafe-inline' to angular js applications. I tried to apply CSP, but it is throwing error for the js libraries. It tried ng-csp in angular js, it is not…
anusha chockalingam
  • 1
0
votes
0 answers

CSP not working properly in ASP.NET Web Forms application

We are trying to implement CSP in ASP.NET web forms application. There are many auto generated scripts created by web forms application and CSP is not allowing execution for them. Please guide how we can skip CSP logic without using unsafe-inline…
Prasad Khalane
  • 11
0
votes
2 answers

Styles imported through angular.json blocked by Content-Security-Policy script-src: self

I have imported couple of css and scss files through angular.json styles array, this eventually added under . I have content-security-policy:…
Karna
  • 11
  • 6
0
votes
1 answer

How to configure CSP with inline-style in Vue or Nuxt?

I want to deploy a Nuxt application but I have a problem with Csp. I added all the Sha256 to my Csp but some lines are still stuck. I think it's the lines with :style="". What would be the solution? Is it really risky to add an…
Kor
  • 41
  • 2
0
votes
0 answers

how important is 'unsafe-inline' in js and css CSP

I´m developing an app and I came across with the CSP policies. I´ve already done it but I need to put the 'unsafe inline' and 'unsafe eval' in most of the pages because I have inline code or style that changes a little bit the view of the content,…
Jorge Garcia
  • 15
  • 4
1
2