Chrome version 18+: How to allow inline scripting with a Content Security Policy?

For recent versions of Chrome (46+), the previously accepted answer is no longer true. unsafe-inline still has no effect (in the manifest and in meta header tags), but per the documentation, you can use the technique described here to relax the restriction. Hash usage for <script> elements The script-src directive lets developers whitelist a particular … Read more

Allow All Content Security Policy?

For people who still want an even more permissive posts, because the other answers were just not permissive enough, and they must work with google chrome for which * is just not enough: default-src * data: blob: filesystem: about: ws: wss: ‘unsafe-inline’ ‘unsafe-eval’ ‘unsafe-dynamic’; script-src * data: blob: ‘unsafe-inline’ ‘unsafe-eval’; connect-src * data: blob: ‘unsafe-inline’; … Read more

What’s the purpose of the HTML “nonce” attribute for script and style elements?

The nonce attribute lets you “whitelist” certain inline script and style elements, while avoiding use of the CSP unsafe-inline directive (which would allow all inline script and style), so you still retain the key CSP feature of disallowing inline script/style in general. So the nonce attribute is a way to tell browsers the inline contents … Read more

How to override content security policy while including script in browser JS console?

You can turn off the CSP for your entire browser in Firefox by disabling security.csp.enable in the about:config menu. If you do this, you should use an entirely separate browser for testing. For example, install Firefox Developer Edition alongside your normal browser and use that for testing (and not normal Web use). As an alternative, … Read more

Console shows error about Content Security policy and lots of failed GET requests

Let’s start with the easiest problem: Refused to execute inline script because … $(‘div’, this) selects all <div> elements within a <td>. In the source code you provided, the following event handler can be found: <div class=”smallfont”> <span style=”cursor:pointer” onclick=”window.open(‘member.php?u=47995’, ‘_self’)”>K4raMong</span> </div> By the default Content Security policy, this is forbidden. To get rid off … Read more

What is happening when I have two CSP (Content Security Policies) policies – header & meta?

If you have CSP directives specified both in a Content-Security-Policy HTTP header and in a meta element, the browser uses the most-restrictive CSP directives, wherever specified. See the details on multiple polices at https://w3c.github.io/webappsec-csp/#multiple-policies and details on using the meta element at https://w3c.github.io/webappsec-csp/#meta-element: A policy specified via a meta element will be enforced along with … Read more