All of the scripts that e externally have this error:
Refused to load the script '.4.1.slim.min.js' because it violates the following Content Security Policy directive: "script-src 'self' 'sha256-V8KVL4e3S2PwNnwHfycBcJMRnRhyyPiEpdxcGNLxzvk='". Note that 'script-src-elem' was not explicitly set, so 'script-src' is used as a fallback.
I search for this error, but all the solutions have a 'unsafe-eval' 'unsafe-inline.
From my understanding, I need to write a meta tag. Something like this:
<meta http-equiv="Content-Security-Policy" content="default-src *; style-src 'self' http://* 'unsafe-inline'; script-src 'self' http://* 'unsafe-inline' 'unsafe-eval'" />
I removed the unsafe-inline and unsafe-eval, but the issue still persists. Any idea?
This is what's in my header:
<head>
<link rel="icon" href="img/am.png">
<meta charset="utf-8">
<!-- Required meta tags -->
<meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no">
<script src=".0.6/js/all.js"></script>
<link rel="stylesheet" href=".4.1/css/bootstrap.min.css"
integrity="sha384-Vkoo8x4CGsO3+Hhxv8T/Q5PaXtkKtu6ug5TOeNV6gBiFeWPGFN9MuhOf23Q9Ifjh" crossorigin="anonymous">
<link href=":300,600,700i" rel="stylesheet">
<link rel="stylesheet" href="style.css">
<title>Title</title>
</head>
Before my closing body tags, I have more included scripts
<script src=".4.1.slim.min.js"
integrity="sha384-J6qa4849blE2+poT4WnyKhv5vZF5SrPo0iEjwBvKU7imGFAV0wwj1yYfoRSJoZ+n"
crossorigin="anonymous"></script>
<script src="/[email protected]/dist/umd/popper.min.js"
integrity="sha384-Q6E9RHvbIyZFJoft+2mJbHaEWldlvI9IOYy5n3zV9zzTtmI3UksdQRVvoxMfooAo"
crossorigin="anonymous"></script>
<script src=".4.1/js/bootstrap.min.js"
integrity="sha384-wfSDF2E50Y2D1uUdj0O3uMBJnjuUD4Ih7YwaYd1iqfktj0Uod8GCExl3Og8ifwB6"
crossorigin="anonymous"></script>
It's a total of four scripts that are being blocked. One in the header(frontawesome) and the other scripts before the closing body tag.
All of the scripts that e externally have this error:
Refused to load the script 'https://code.jquery./jquery-3.4.1.slim.min.js' because it violates the following Content Security Policy directive: "script-src 'self' https://xxxx. https://ajax.googleapis. 'sha256-V8KVL4e3S2PwNnwHfycBcJMRnRhyyPiEpdxcGNLxzvk='". Note that 'script-src-elem' was not explicitly set, so 'script-src' is used as a fallback.
I search for this error, but all the solutions have a 'unsafe-eval' 'unsafe-inline.
From my understanding, I need to write a meta tag. Something like this:
<meta http-equiv="Content-Security-Policy" content="default-src *; style-src 'self' http://* 'unsafe-inline'; script-src 'self' http://* 'unsafe-inline' 'unsafe-eval'" />
I removed the unsafe-inline and unsafe-eval, but the issue still persists. Any idea?
This is what's in my header:
<head>
<link rel="icon" href="img/am.png">
<meta charset="utf-8">
<!-- Required meta tags -->
<meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no">
<script src="https://use.fontawesome./releases/v5.0.6/js/all.js"></script>
<link rel="stylesheet" href="https://stackpath.bootstrapcdn./bootstrap/4.4.1/css/bootstrap.min.css"
integrity="sha384-Vkoo8x4CGsO3+Hhxv8T/Q5PaXtkKtu6ug5TOeNV6gBiFeWPGFN9MuhOf23Q9Ifjh" crossorigin="anonymous">
<link href="https://fonts.googleapis./css?family=Montserrat:300,600,700i" rel="stylesheet">
<link rel="stylesheet" href="style.css">
<title>Title</title>
</head>
Before my closing body tags, I have more included scripts
<script src="https://code.jquery./jquery-3.4.1.slim.min.js"
integrity="sha384-J6qa4849blE2+poT4WnyKhv5vZF5SrPo0iEjwBvKU7imGFAV0wwj1yYfoRSJoZ+n"
crossorigin="anonymous"></script>
<script src="https://cdn.jsdelivr/npm/[email protected]/dist/umd/popper.min.js"
integrity="sha384-Q6E9RHvbIyZFJoft+2mJbHaEWldlvI9IOYy5n3zV9zzTtmI3UksdQRVvoxMfooAo"
crossorigin="anonymous"></script>
<script src="https://stackpath.bootstrapcdn./bootstrap/4.4.1/js/bootstrap.min.js"
integrity="sha384-wfSDF2E50Y2D1uUdj0O3uMBJnjuUD4Ih7YwaYd1iqfktj0Uod8GCExl3Og8ifwB6"
crossorigin="anonymous"></script>
It's a total of four scripts that are being blocked. One in the header(frontawesome) and the other scripts before the closing body tag.
Share Improve this question edited Feb 6, 2021 at 14:05 Melanie Shebel 2,9186 gold badges33 silver badges54 bronze badges asked Sep 15, 2020 at 20:39 M. GuerreroM. Guerrero 951 gold badge1 silver badge6 bronze badges 2- how do you load the script? – Itamar Commented Sep 15, 2020 at 21:27
- 1 I updated my questions with how I load the scrips. It's 4 scrips that are being blocked. – M. Guerrero Commented Sep 16, 2020 at 15:18
2 Answers
Reset to default 1script-src 'self' https://xxxx. https://ajax.googleapis. 'sha256-V8KVL4e3S2PwNnwHfycBcJMRnRhyyPiEpdxcGNLxzvk='
means that your CMS (or server) already issues Content Security Policy some way:
- PHP header() function
- .htaccess file
- < meta http-equiv="Content-Security-Policy")
- web-server config (low probability)
you need to find where it's done (In CMS it should be plugin to manage headers). Then add to the script-src directive:
EITHER host-sources (less secure if CDNs with public upload):
https://use.fontawesome. https://code.jquery. https://cdn.jsdelivr https://stackpath.bootstrapcdn.
OR single quoted hashes from integrity attributes of your scripts (more secure):
'sha384-J6qa4849blE2+poT4WnyKhv5vZF5SrPo0iEjwBvKU7imGFAV0wwj1yYfoRSJoZ+n' 'sha384-Q6E9RHvbIyZFJoft+2mJbHaEWldlvI9IOYy5n3zV9zzTtmI3UksdQRVvoxMfooAo' 'sha384-wfSDF2E50Y2D1uUdj0O3uMBJnjuUD4Ih7YwaYd1iqfktj0Uod8GCExl3Og8ifwB6' 'sha384-0AJY8UERsBUKdWcyF3o2kisLKeIo6G4Tbd8Y6fbyw6qYmn4WBuqcvxokp8m2UzSD'
OR mixed:
'sha384-J6qa4849blE2+poT4WnyKhv5vZF5SrPo0iEjwBvKU7imGFAV0wwj1yYfoRSJoZ+n' 'sha384-Q6E9RHvbIyZFJoft+2mJbHaEWldlvI9IOYy5n3zV9zzTtmI3UksdQRVvoxMfooAo' 'sha384-wfSDF2E50Y2D1uUdj0O3uMBJnjuUD4Ih7YwaYd1iqfktj0Uod8GCExl3Og8ifwB6' https://use.fontawesome.
in the second option you have to add integrity= attribute to script in the head section:
<script src="https://use.fontawesome./releases/v5.0.6/js/all.js"
integrity="sha384-0AJY8UERsBUKdWcyF3o2kisLKeIo6G4Tbd8Y6fbyw6qYmn4WBuqcvxokp8m2UzSD"
crossorigin="anonymous"></script>
Updated:
The third option (mixed rule) was added in case it is impractical to change below script in the <head> sect (integrity attr addition):
<script src="https://use.fontawesome./releases/v5.0.6/js/all.js"></script>
You probably have a CSP response header set in addition to your meta tag CSP. Multiple CSPs will only make it more strict as anything has to pass both CSPs. You will need to modify the header CSP and add code.jquery. to script-src.