Either the 'unsafe-inline' keyword, a hash ( 'sha256-G3FpTn2EFU91Umz2fz6NyjnqeGDTr8SUdmWbsvxzfbY='), or a nonce ( 'nonce-.') is required to enable inline execution.
80 m on a Windows PC and Chrome keeps telling me this: Refused to execute inline script because it violates the following Content Security Policy directive: "script-src 'self' 'sha256-0ZMofb7eMqkB9IFHnGVZ6Z4chjplAavgi09shinNehs='". Alas, when you choose option 3, you'll quickly run into the following issues:Ĭhrome. The safest method would be to use the hash digest method, option 3. Options 2 and 3 however are only defined in CSP v2, which is currently only implemented by Chrome, Opera and Firefox. Like the nonce, you'd need to add these digests to the script-src source list using 'sha256-0ZMofb7eMqkB9IFHnGVZ6Z4chjplAavgi09shinNehs=' for example. Calculate the SHA256, SHA384 or SHA512 digest of each inline script (including all whitespace, but excluding the opening and closing script tags).You would need to add that nonce to the script using the nonce attribute, and also to the script-src source list using 'nonce-RJ6bGjm5EO/X8pImZjvjeAexFVei9IvzNFCGw5lQUa0=' A nonce means: a unique and hard to predict stream of bytes, different for each script, each page and each request!Ī nonce could be base64 encoded and look like RJ6bGjm5EO/X8pImZjvjeAexFVei9IvzNFCGw5lQUa0= Generate a nonce for each inline script.
The easiest solution, but not always possible. js files and load them using tags, while adding 'self' to script-src if that wasn't already the case. Instead, you can opt to do one of these things: You could add 'unsafe-inline' to the script-src source list to allow all inline scripting (except eval and other bad stuff, you need 'unsafe-eval' in that case), but that is exactly what you would want to avoid. Now, I was trying out some things concerning CSP and inline scripts. If you want to read up on CSP, I suggest heading over to.