I'm trying to implement a Content-Security-Policy.

My HTML File does not include any JavaScript code except for including external js files. But still the console says:

Refused to execute inline script because it violates the following Content Security Policy directive:

So my questions are:

1. Is including an external JavaScript file like <script src=".12.4.js"></script> seen as an "inline-script" ?

2. If so, what can I do to allow these scripts via CSP? I already tried to use the nonce within my scripts but it always says:

   Undefined attribute name (nonce)

3. Do dev tools (e.g. Google Chrome) provide a function to see which inline script procudes the error?

Thanks

I'm trying to implement a Content-Security-Policy.

My HTML File does not include any JavaScript code except for including external js files. But still the console says:

Refused to execute inline script because it violates the following Content Security Policy directive:

So my questions are:

1. Is including an external JavaScript file like <script src="https://code.jquery./jquery-1.12.4.js"></script> seen as an "inline-script" ?

2. If so, what can I do to allow these scripts via CSP? I already tried to use the nonce within my scripts but it always says:

   Undefined attribute name (nonce)

3. Do dev tools (e.g. Google Chrome) provide a function to see which inline script procudes the error?

Thanks

• javascript
• java
• spring
• google-chrome-devtools
• content-security-policy

• 1. All script files should be inside the extension package 2. Inline code also means onclick attributes and any other like that. – woxxom Commented Mar 12, 2018 at 11:30

1 Answer 1

1. Including an external JS file is not seen as an "inline-script" in this context. It is enough to specify the external sources in the script-src property like script-src 'self' https://code.jquery./jquery-1.12.4.js
2. Because the external files are not seen as inline scripts I don't need to use nonce or hash. But informations are provided here
3. In the dev tool of Google Chrome I did not find any information in which line or which external JS file leads to the error. Instead I used Firebug. At least the line is mentioned which leads to the error. With this help you could easily elimate DOM elements which have been overlooked.

But what really help me is written here.

It’s very important to always define default-src. Otherwise, the directives will default to allowing all resources

In my case adding the default-src 'self' to CSP eliminates the error!