Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Script causes “Refused to execute inline script: Either the 'unsafe-inline' keyword, a hash… or a nonce is required to enable inline execution”

I keep getting this error:

Refused to execute inline script because it violates the following Content Security Policy directive: "default-src 'self' data: gap: http://www.visitsingapore.com https://ssl.gstatic.com 'unsafe-eval'". Either the 'unsafe-inline' keyword, a hash ('sha256-V+/U3qbjHKP0SaNQhMwYNm62gfWX4QHwPJ7We1PXokI='), or a nonce ('nonce-...') is required to enable inline execution. Note also that 'script-src' was not explicitly set, so 'default-src' is used as a fallback.

Can anyone tell me how to solve this and what does it mean? My code is:

<meta http-equiv="Content-Security-Policy" content="default-src 'self' data:gap: http://www.visitsingapore.com   https://ssl.gstatic.com 'unsafe-eval'; style-src 'self' 'unsafe-inline'; media-src *"> <meta http-equiv="content-type" content="text/html; charset=UTF-8" /> <link rel="stylesheet" type="text/css" href="css/index.css"> <link rel="stylesheet" href="css/jquery.mobile-1.4.5.css"> <script src="lib/jquery-3.2.1.min.js"></script>  <script type="text/javascript" src="scripts/key.js"></script> <script>$.ajax({         url: ' http://www.visitsingapore.com/api.listing.en.json',         type: 'GET',         beforeSend: function (xhr) {             xhr.setRequestHeader('email ID', '[email protected]');             xhr.setRequestHeader('token ID', '-------');         },         data: {},         success: function (qwe12) {             var TrueResult2 = JSON.stringify(qwe12);             document.write(TrueResult2);         },         error: function () { },     });</script> 
like image 264
Yi Kiat Avatar asked Sep 16 '17 18:09

Yi Kiat


People also ask

How do I enable an inline script in CSP?

Other methods. The unsafe-inline source list value can be used to allow inline scripts, but this also defeats much of the purpose of CSP. CSP Level 3 (newest browsers) support a source list value: unsafe-hashes which can be used to allow inline script in javascript event handlers (eg onclick or onmouseover , etc).

Why are inline scripts unsafe?

Content Security Policy was built to combat Cross Site Scripting by requiring that you can only load javascript from a specifically trusted origins. But when you put in 'unsafe-inline' you are allowing javascript back into the HTML, which makes XSS possible again.

What is unsafe-inline keyword?

The unsafe-inline Source List Keyword. The unsafe-inline Content Security Policy (CSP) keyword allows the execution of inline scripts or styles.

What is script src Elem?

The HTTP Content-Security-Policy (CSP) script-src-elem directive specifies valid sources for JavaScript <script> elements, but not inline script event handlers like onclick .


1 Answers

The best way to fix this would be to take that $.ajax(…) call out of the document and move it into an external file called ajax-call.js, and then do this:

<script src="ajax-call.js"></script> 

The reason that’s better is that if you’re already going to the effort of setting a CSP policy for your document, then you should ideally go to the additional effort of removing all inline scripts.

But if for some reason you really need to keep the script inline in the document, you can change that meta element so the exact sha256 hash value from the error message is included as a source for the script-src directive, like this (with some line breaks added just for readability):

<meta http-equiv="Content-Security-Policy"   content="default-src 'self' data:gap: http://www.visitsingapore.com    https://ssl.gstatic.com 'unsafe-eval';   style-src 'self' 'unsafe-inline';   media-src *;   script-src 'sha256-V+/U3qbjHKP0SaNQhMwYNm62gfWX4QHwPJ7We1PXokI=' "> 

And a couple places to get a bit more information:

  • developers.google.com/web/fundamentals/security/csp/#if_you_absolutely_must_use_it
  • www.owasp.org/index.php/Content_Security_Policy_Cheat_Sheet#Refactoring_inline_code
like image 109
sideshowbarker Avatar answered Sep 19 '22 13:09

sideshowbarker