https://stackoverflow.com/questions/14760874
italiano
english
français
española
中国
日本の
العربية
Deutsch
한국어
Português
RussianI overlooked 'unsafe-inline'. Resources that I allowed to load can use inline styles by doing this:
style-src 'unsafe-inline'
Allowing certain scripts to set inline styles
-
07-03-2022 - |
Question
I'm securing my page using a csp headers. I set both X-Content-Security-Policy and X-Webkit-CSP. to the following value:
default-src 'self';
object-src 'none';
frame-src 'self' *.youtube.com;
style-src 'self' https://ajax.googleapis.com;
script-src 'self' https://ajax.googleapis.com;
report-uri /csp_report
Everything loads fine, but I get tHe following error in chrome. I have yet to test it in other browsers.
Refused to apply inline style because it violates the following Content
Security Policy directive: "style-src 'self' https://ajax.googleapis.com".
referring to a line in a script on the current domain, that's trying to insert some HTML containing inline styles. Is there a way to allow scripts that I have whitelisted usin script-src to do this? I'm getting the same error for jquery, hosted on ajax.googleapis.com.
Solution
Licensed under: CC-BY-SA with attribution
Not affiliated with StackOverflow
