I keep getting this error:
Refused to execute inline script because it violates the following Content Security Policy directive: "default-src 'self' data: gap: http://www.visitsingapore.com https://ssl.gstatic.com 'unsafe-eval'". Either the 'unsafe-inline' keyword, a hash ('sha256-V+/U3qbjHKP0SaNQhMwYNm62gfWX4QHwPJ7We1PXokI='), or a nonce ('nonce-...') is required to enable inline execution. Note also that 'script-src' was not explicitly set, so 'default-src' is used as a fallback.
Can anyone tell me how to solve this and what does it mean? My code is:
<meta http-equiv="Content-Security-Policy" content="default-src 'self' data:gap: http://www.visitsingapore.com https://ssl.gstatic.com 'unsafe-eval'; style-src 'self' 'unsafe-inline'; media-src *"> <meta http-equiv="content-type" content="text/html; charset=UTF-8" /> <link rel="stylesheet" type="text/css" href="css/index.css"> <link rel="stylesheet" href="css/jquery.mobile-1.4.5.css"> <script src="lib/jquery-3.2.1.min.js"></script> <script type="text/javascript" src="scripts/key.js"></script> <script>$.ajax({ url: ' http://www.visitsingapore.com/api.listing.en.json', type: 'GET', beforeSend: function (xhr) { xhr.setRequestHeader('email ID', '[email protected]'); xhr.setRequestHeader('token ID', '-------'); }, data: {}, success: function (qwe12) { var TrueResult2 = JSON.stringify(qwe12); document.write(TrueResult2); }, error: function () { }, });</script>
Other methods. The unsafe-inline source list value can be used to allow inline scripts, but this also defeats much of the purpose of CSP. CSP Level 3 (newest browsers) support a source list value: unsafe-hashes which can be used to allow inline script in javascript event handlers (eg onclick or onmouseover , etc).
Content Security Policy was built to combat Cross Site Scripting by requiring that you can only load javascript from a specifically trusted origins. But when you put in 'unsafe-inline' you are allowing javascript back into the HTML, which makes XSS possible again.
The unsafe-inline Source List Keyword. The unsafe-inline Content Security Policy (CSP) keyword allows the execution of inline scripts or styles.
The HTTP Content-Security-Policy (CSP) script-src-elem directive specifies valid sources for JavaScript <script> elements, but not inline script event handlers like onclick .
The best way to fix this would be to take that $.ajax(…)
call out of the document and move it into an external file called ajax-call.js
, and then do this:
<script src="ajax-call.js"></script>
The reason that’s better is that if you’re already going to the effort of setting a CSP policy for your document, then you should ideally go to the additional effort of removing all inline scripts.
But if for some reason you really need to keep the script inline in the document, you can change that meta
element so the exact sha256 hash value from the error message is included as a source for the script-src
directive, like this (with some line breaks added just for readability):
<meta http-equiv="Content-Security-Policy" content="default-src 'self' data:gap: http://www.visitsingapore.com https://ssl.gstatic.com 'unsafe-eval'; style-src 'self' 'unsafe-inline'; media-src *; script-src 'sha256-V+/U3qbjHKP0SaNQhMwYNm62gfWX4QHwPJ7We1PXokI=' ">
And a couple places to get a bit more information:
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With