Menu
I'm trying to mitigate XSS attacks by setting the Content-Security-Policy header but Chrome keeps throwing an error:
Refused to execute inline event handler because it violates the following Content Security Policy directive: "script-src 'self' 'nonce-Njg3MGUxNzkyMjViNDZkN2I3YTM3MDAzY2M0MjUxZGEzZmFhNDU0OGZjNDExMWU5OTVmMmMwMTg4NTA3ZmY4OQ=='". Either the 'unsafe-inline' keyword, a hash ('sha256-...'), or a nonce ('nonce-...') is required to enable inline execution.
I tried setting the nonce in <script nonce="Njg3MGUxNzkyMjViNDZkN2I3YTM3MDAzY2M0MjUxZGEzZmFhNDU0OGZjNDExMWU5OTVmMmMwMTg4NTA3ZmY4OQ==" href="main.js"></script> but it does not worked.
Here's my Content-Security-Policy header:
default-src 'none';
script-src 'self' 'nonce-NjJjN2E5YjA0ZDJhNDlhZjlhMDFmZjQzMjE4YzhmMTAzOWNjZjVjMGZjNDIxMWU5YWIyNGMwMTg4NTA3ZmY4OQ==';
connect-src 'self' https://vimeo.com;
img-src 'self';
style-src 'self' 'unsafe-inline' https://fonts.googleapis.com;
font-src 'self' https://fonts.gstatic.com;
media-src 'self' http://player.vimeo.com;
frame-src 'self' http://player.vimeo.com;
I don't like setting the script-src as unsafe-inline, as it voids the used of Content-Security-Policy
292
Other methods. The unsafe-inline source list value can be used to allow inline scripts, but this also defeats much of the purpose of CSP. CSP Level 3 (newest browsers) support a source list value: unsafe-hashes which can be used to allow inline script in javascript event handlers (eg onclick or onmouseover , etc).
An event handler is a JavaScript function that runs when an event fires. An event listener attaches responsiveness to a given element, which allows the element to wait or “listen” for the given event to fire. Events can be assigned to elements via inline event handlers, event handler properties & event listeners.
The unsafe-inline option is to be used when moving or rewriting inline code in your current site is not an immediate option but you still want to use CSP to control other aspects (such as object-src, preventing injection of third-party js etc.).
Aside from semantics and other opinions expressed in the accepted answer, all inline scripts are considered a vulnerability and high security risk. Any website expecting to run on modern browsers are expected to set the 'Content-Security-Policy' (CSP) property, either via meta attribute or headers.
Your CSP is blocking an inline event handler in your HTML code, like <button onclick="myFunction()">Click me</button>.
Inline event handlers are bad practice (mostly because they are inline). See this answer for insight.
Nonce does not seem to work with inline event handlers though. So the best thing to do would be to replace this event handler with a proper one written in your JS file.
If you cannot do that, try adding 'unsafe-hashes' to your script-src.
Kudos for rejecting 'unsafe-inline', it's a shortcut we see way too often, including in production.
200
This error can also be caused by inline styles (styles in html file inside <style> </style>).
I had this issue and removing inline styles solved problem.
Angular users can resolved this by setting "inlineCritical" to false for each configuration (more details here).
Example:
"configurations": {
"production": {
"optimization": {
"scripts": true,
"styles": {
"minify": true,
"inlineCritical": false
},
"fonts": false
}
}
}
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
