javascript - Content-Security-Policy: Refused to execute inline script - Stack Overflow

admin管理员组

文章数量:1405195

I'm trying to implement a Content-Security-Policy.

My HTML File does not include any JavaScript code except for including external js files. But still the console says:

Refused to execute inline script because it violates the following Content Security Policy directive:

So my questions are:

1. Is including an external JavaScript file like <script src=".12.4.js"></script> seen as an "inline-script" ?

2. If so, what can I do to allow these scripts via CSP? I already tried to use the nonce within my scripts but it always says:

   Undefined attribute name (nonce)

3. Do dev tools (e.g. Google Chrome) provide a function to see which inline script procudes the error?

Thanks

I'm trying to implement a Content-Security-Policy.

My HTML File does not include any JavaScript code except for including external js files. But still the console says:

Refused to execute inline script because it violates the following Content Security Policy directive:

So my questions are:

1. Is including an external JavaScript file like <script src="https://code.jquery./jquery-1.12.4.js"></script> seen as an "inline-script" ?

2. If so, what can I do to allow these scripts via CSP? I already tried to use the nonce within my scripts but it always says:

   Undefined attribute name (nonce)

3. Do dev tools (e.g. Google Chrome) provide a function to see which inline script procudes the error?

Thanks

• javascript
• java
• spring
• google-chrome-devtools
• content-security-policy

Share Improve this question Follow asked Mar 11, 2018 at 19:21 JannikJannik 1,01522 gold badges1313 silver badges2323 bronze badges 1

• 1. All script files should be inside the extension package 2. Inline code also means onclick attributes and any other like that. – woxxom Commented Mar 12, 2018 at 11:30

Add a ment  | 

1 Answer 1

Sorted by: Reset to default 2

1. Including an external JS file is not seen as an "inline-script" in this context. It is enough to specify the external sources in the script-src property like script-src 'self' https://code.jquery./jquery-1.12.4.js
2. Because the external files are not seen as inline scripts I don't need to use nonce or hash. But informations are provided here
3. In the dev tool of Google Chrome I did not find any information in which line or which external JS file leads to the error. Instead I used Firebug. At least the line is mentioned which leads to the error. With this help you could easily elimate DOM elements which have been overlooked.

But what really help me is written here.

It’s very important to always define default-src. Otherwise, the directives will default to allowing all resources

In my case adding the default-src 'self' to CSP eliminates the error!

本文标签： javascriptContentSecurityPolicy Refused to execute inline scriptStack Overflow