I am trying to implement OneTrust for cookie consent into a site I made months ago. When I add the scripts code everything goes ok in localhost: it shows the message, the popup for cookie customization... but when I put it in production nothing appears but a message in console which says:
Refused to load the script '.js' because it violates the following Content Security Policy directive: "script-src 'self' / 'unsafe-inline' 'unsafe-eval'". Note that 'script-src-elem' was not explicitly set, so 'script-src' is used as a fallback.
And the code I added to my header is:
<!-- El aviso de consentimiento de cookies de OneTrust ienza para www.---. -->
<script src=".js" type="text/javascript" charset="UTF-8" data-domain-script="***-***-***-***-***" ></script>
<script type="text/javascript">
function OptanonWrapper() { }
</script>
<!-- El aviso de consentimiento de cookies de OneTrust finaliza para www.---. -->
It would be great if someone could tell me where is the error. If it is in the code itself or if it es from the libraries I'm using (Analytics, jQuery, Bootstrap...).
Thank you!
I am trying to implement OneTrust for cookie consent into a site I made months ago. When I add the scripts code everything goes ok in localhost: it shows the message, the popup for cookie customization... but when I put it in production nothing appears but a message in console which says:
Refused to load the script 'https://cdn.cookielaw/scripttemplates/otSDKStub.js' because it violates the following Content Security Policy directive: "script-src 'self' https://salesiq.zoho. https://js.zohocdn. https://webforms.pipedrive. https://leadbooster-chat.pipedrive./ https://cdn.eu-central-1.pipedriveassets. https://sc.lfeeder. https://cdn.jsdelivr https://code.jquery. https://cdnjs.cloudflare. https://stackpath.bootstrapcdn. https://stats.wp. https://www.gstatic. http://www.googletagmanager. https://s0.wp. https://s1.wp. https://s2.wp. https://ajax.googleapis. https://www.google-analytics. https://www.youtube. https://s.ytimg. https://platform.linkedin. https://platform.twitter. https://apis.google. https://connect.facebook https://player.vimeo. 'unsafe-inline' 'unsafe-eval'". Note that 'script-src-elem' was not explicitly set, so 'script-src' is used as a fallback.
And the code I added to my header is:
<!-- El aviso de consentimiento de cookies de OneTrust ienza para www.---.. -->
<script src="https://cdn.cookielaw/scripttemplates/otSDKStub.js" type="text/javascript" charset="UTF-8" data-domain-script="***-***-***-***-***" ></script>
<script type="text/javascript">
function OptanonWrapper() { }
</script>
<!-- El aviso de consentimiento de cookies de OneTrust finaliza para www.---.. -->
It would be great if someone could tell me where is the error. If it is in the code itself or if it es from the libraries I'm using (Analytics, jQuery, Bootstrap...).
Thank you!
Share Improve this question asked Apr 30, 2021 at 9:38 Pablo CPablo C 621 gold badge1 silver badge7 bronze badges 2- The error message tells exactly what is going wrong: "it violates the following Content Security Policy directive: "script-src 'self". Either edit or remove the directive, or store the script into your own server. – Teemu Commented Apr 30, 2021 at 10:03
- can you tell me where you found docs describing where to put the script? their docs seem to hide everything pertinent to initial setup – caro Commented Dec 6, 2023 at 19:00
3 Answers
Reset to default 0Add script-src directive with having this domain as allowed list. Content-Security-Policy: script-src https://cdn.cookielaw/scripttemplates/;
It is not new directive but already should be present as you have allowed list for many domains.
it's remended to add -test at the end of your data domain script for staging environnements.
You need to add "https://cdn.mypany./script.js" to the "script-src" directive of the policy. There are tools that can automatically generate policies such as CSP Generator.
In my case the problem was Service Worker caching some One Trust requests. One Trust is using wired content-type=text/x-javascript for one of the json requests.
You can check if your application is using some window.fetch polyfill that cannot handle requests to OneTrust.
Error in fetch URL : https://cdn.cookielaw/consent/XXX/YYY/en.json Exception : TypeError: r is undefined
from https://cdn.cookielaw/scripttemplates/6.5.0/otBannerSdk.js