bepsvpt/secure-headers

jquery.min.js

jd5am opened this issue · 1 comments

jd5am commented

Hi there -- I am investigating the use of secure-headers on our site but have hit a problem with regards the enabling of CSP.

We see the following:
Refused to apply inline style because it violates the following Content Security Policy directive: "style-src 'self' 'unsafe-inline' 'unsafe-eval' data: https: 'nonce-NmY3M2YwOTQ5MmQyOTEyMg==' 'nonce-MzQ5Y2RmNzhhMDdkNTRmMw==' 'nonce-MzBlMzg0YmZhN2MzNjk5Ng==' fonts.gstatic.com ajax.googleapis.com code.jquery.com googletagmanager.com google-analytics.com s3.eu-west-2.amazonaws.com cdnjs.cloudflare.com ajax.googleapis.com maxcdn.bootstrapcdn.com unpkg.com google.com cdn.jsdelivr.net gitcdn.github.io checkout.stripe.com fonts.googleapis.com code.ionicframework.com data:". Note that 'unsafe-inline' is ignored if either a hash or nonce value is present in the source list.

which points to our self-hosted jquery.min.js file.

We do not face any other issues and CSP works fine for other script and styles.

Screenshot 2022-07-15 at 13 22 20

Would appreciate any help or pointers.

Thanks

This is not related to jquery.min.js.

The error says 'unsafe-inline' was ignored because you had used nonce in your style-src directive.