Use of inline scripts is incompatible with strict Content Security Policy

Question

Use of inline scripts is incompatible with strict Content Security Policy

Opened this issue 6 months ago · 0 comments

MarkusPettersson98 commented 6 months ago

If a webserver is configured with a Content Security Policy (CSP) directive to block inline scripts, serving this website will issue a warning in the browser console: Content-Security-Policy: The page’s settings blocked the loading of a resource at inline (“script-src”).

The bad way of fixing this is to update the CSP to add script-src 'self' 'unsafe-inline';. The better way of fixing this issue is to get rid of all inline scripts to properly server the website with a strict CSP.