Snippet of our CSP configuration <IfModule mod_headers.c> Header add X-Vhost "lorem" Header set Content-Security-Policy "default-src 'self'; form-action 'none'; script-src 'self' 'unsafe-eval' 'unsafe-hashes' https://cdn-apac.onetrust.com https://www.google.com https://assets.adobedtm.com https://www.googletagmanager.com https://www.gstatic.com https://www.youtube.com 'nonce-394726394026385629'; </IfModule> We have added nonce to all <Script> tags. However, We are getting below console errors(I have added screenshots as well)[Report Only] Refused to load the script '<URL>' because it violates the following Content Security Policy directive: "script-src 'unsafe-eval' 'unsafe-hashes' 'unsafe-inline' 'self'". Note that 'script-src-elem' was not explicitly set, so 'script-src' is used as a fallback.[Report Only] Refused to connect to '<URL>' because it violates the following Content Security Policy directive: "default-src 'self' 'unsafe-eval' 'unsafe-hashes' 'unsafe-inline' data: blob: *.gstatic.com". Note that 'connect-src' was not explicitly set, so 'default-src' is used as a fallback.The Content-Security-Policy directive 'form-action' contains the keyword 'none' alongside with other source expressions. The keyword 'none' must be the only source expression in the directive value, otherwise it is ignored.erforme-Rosse-The-his-is-Birthe-Doct-The-vs-must:1 Refused to execute inline script because it violates the following Content Security Policy directive: "script-src 'self' 'unsafe-eval' 'unsafe-hashes' https://cdn-apac.onetrust.com https://www.google.com https://assets.adobedtm.com https://www.googletagmanager.com https://www.gstatic.com https://www.youtube.com 'nonce-394726394026385629'". Either the 'unsafe-inline' keyword, a hash ('sha256-d+XiDBXqrAQI7R8KVX9uRAtkHJWNmURyG9QF6TM0bz8='), or a nonce ('nonce-...') is required to enable inline execution.erforme-Rosse-The-his-is-Birthe-Doct-The-vs-must:1 Refused to execute inline script because it violates the following Content Security Policy directive: "script-src 'self' 'unsafe-eval' 'unsafe-hashes' https://cdn-apac.onetrust.com https://www.google.com https://assets.adobedtm.com https://www.googletagmanager.com https://www.gstatic.com https://www.youtube.com 'nonce-3947263940126385629'". Either the 'unsafe-inline' keyword, a hash ('sha256-d+XiDBXqrAQI7R8KVX9uRAtkHJWNmURyG9QF6TM0bz8='), or a nonce ('nonce-...') is required to enable inline execution.Refused to run the JavaScript URL because it violates the following Content Security Policy directive: "script-src 'self' 'unsafe-eval' 'unsafe-hashes' https://cdn-apac.onetrust.com https://www.google.com https://assets.adobedtm.com https://www.googletagmanager.com https://www.gstatic.com https://www.youtube.com 'nonce-3947263940126385629'". Either the 'unsafe-inline' keyword, a hash ('sha256-...'), or a nonce ('nonce-...') is required to enable inline execution.csrf.lc-a9dcac4698709ca8e1cbc88363cf0793-lc.js:300 [Report Only] Refused to frame 'https://www.google.com/' because it violates the following Content Security Policy directive: "default-src 'self' data: blob: *.gstatic.com". Note that 'frame-src' was not explicitly set, so 'default-src' is used as a fallback.[Report Only] Refused to frame 'https://www.google.com/' because it violates the following Content Security Policy directive: "default-src 'self' data: blob: *.gstatic.com". Note that 'frame-src' was not explicitly set, so 'default-src' is used as a fallback.[Report Only] Refused to frame 'https://www.google.com/' because it violates the following Content Security Policy directive: "default-src 'self' data: blob: *.gstatic.com". Note that 'frame-src' was not explicitly set, so 'default-src' is used as a fallback.[Report Only] Refused to frame 'https://www.google.com/' because it violates the following Content Security Policy directive: "default-src 'self' data: blob: *.gstatic.com". Note that 'frame-src' was not explicitly set, so 'default-src' is used as a fallback. Kindly please help me to clear console errors. Thanks

Level 2

Solved

Resolving Content Security Policy (CSP) Console Errors

Forum|Forum|2 years ago
December 7, 2023
2 replies
30602 views

Snippet of our CSP configuration

<IfModule mod_headers.c>
    Header add X-Vhost "lorem"
    Header set Content-Security-Policy 
        "default-src 'self'; 
        form-action 'none'; 
        script-src 'self' 'unsafe-eval' 'unsafe-hashes' https://cdn-apac.onetrust.com https://www.google.com https://assets.adobedtm.com https://www.googletagmanager.com https://www.gstatic.com https://www.youtube.com 'nonce-394726394026385629'; 
</IfModule>

We have added nonce to all <Script> tags. However, We are getting below console errors(I have added screenshots as well)

[Report Only] Refused to load the script '<URL>' because it violates the following Content Security Policy directive: "script-src 'unsafe-eval' 'unsafe-hashes' 'unsafe-inline' 'self'". Note that 'script-src-elem' was not explicitly set, so 'script-src' is used as a fallback.
[Report Only] Refused to connect to '<URL>' because it violates the following Content Security Policy directive: "default-src 'self' 'unsafe-eval' 'unsafe-hashes' 'unsafe-inline' data: blob: *.gstatic.com". Note that 'connect-src' was not explicitly set, so 'default-src' is used as a fallback.
The Content-Security-Policy directive 'form-action' contains the keyword 'none' alongside with other source expressions. The keyword 'none' must be the only source expression in the directive value, otherwise it is ignored.
erforme-Rosse-The-his-is-Birthe-Doct-The-vs-must:1 Refused to execute inline script because it violates the following Content Security Policy directive: "script-src 'self' 'unsafe-eval' 'unsafe-hashes' https://cdn-apac.onetrust.com https://www.google.com https://assets.adobedtm.com https://www.googletagmanager.com https://www.gstatic.com https://www.youtube.com 'nonce-394726394026385629'". Either the 'unsafe-inline' keyword, a hash ('sha256-d+XiDBXqrAQI7R8KVX9uRAtkHJWNmURyG9QF6TM0bz8='), or a nonce ('nonce-...') is required to enable inline execution.
erforme-Rosse-The-his-is-Birthe-Doct-The-vs-must:1 Refused to execute inline script because it violates the following Content Security Policy directive: "script-src 'self' 'unsafe-eval' 'unsafe-hashes' https://cdn-apac.onetrust.com https://www.google.com https://assets.adobedtm.com https://www.googletagmanager.com https://www.gstatic.com https://www.youtube.com 'nonce-3947263940126385629'". Either the 'unsafe-inline' keyword, a hash ('sha256-d+XiDBXqrAQI7R8KVX9uRAtkHJWNmURyG9QF6TM0bz8='), or a nonce ('nonce-...') is required to enable inline execution.
Refused to run the JavaScript URL because it violates the following Content Security Policy directive: "script-src 'self' 'unsafe-eval' 'unsafe-hashes' https://cdn-apac.onetrust.com https://www.google.com https://assets.adobedtm.com https://www.googletagmanager.com https://www.gstatic.com https://www.youtube.com 'nonce-3947263940126385629'". Either the 'unsafe-inline' keyword, a hash ('sha256-...'), or a nonce ('nonce-...') is required to enable inline execution.
csrf.lc-a9dcac4698709ca8e1cbc88363cf0793-lc.js:300 [Report Only] Refused to frame 'https://www.google.com/' because it violates the following Content Security Policy directive: "default-src 'self' data: blob: *.gstatic.com". Note that 'frame-src' was not explicitly set, so 'default-src' is used as a fallback.
[Report Only] Refused to frame 'https://www.google.com/' because it violates the following Content Security Policy directive: "default-src 'self' data: blob: *.gstatic.com". Note that 'frame-src' was not explicitly set, so 'default-src' is used as a fallback.
[Report Only] Refused to frame 'https://www.google.com/' because it violates the following Content Security Policy directive: "default-src 'self' data: blob: *.gstatic.com". Note that 'frame-src' was not explicitly set, so 'default-src' is used as a fallback.
[Report Only] Refused to frame 'https://www.google.com/' because it violates the following Content Security Policy directive: "default-src 'self' data: blob: *.gstatic.com". Note that 'frame-src' was not explicitly set, so 'default-src' is used as a fallback.

Kindly please help me to clear console errors. Thanks

This post is no longer active and is closed to new replies. Need help? Start a new post to ask your question.

Best answer by EstebanBustamante

Hi

Each message provides you with the information needed to address every issue raised by your Content Security Policy (CSP). The reality is that this is a tune-up process, as it can be challenging to get the CSP working perfectly all at once— at least, that's my perspective. My recommendation is to use a Chrome extension to directly inject the CSP header into your browser (https://chromewebstore.google.com/detail/empty-title/idgpnmonknjnojddfkpgkljpfnnfcklj). This way, you can fine-tune it more quickly and safely, leading to a fully functional CSP.

From what I can see, your CSP should already address some of those issues. However, it appears that you are missing a closing quote and a semicolon, suggesting that your CSP may not be working as expected. Please validate it once with the tool I mentioned above:

<IfModule mod_headers.c>
    Header add X-Vhost "lorem"
    Header set Content-Security-Policy 
        "default-src 'self'; 
        form-action 'none'; 
        script-src 'self' 'unsafe-eval' 'unsafe-hashes' https://cdn-apac.onetrust.com https://www.google.com https://assets.adobedtm.com https://www.googletagmanager.com https://www.gstatic.com https://www.youtube.com 'nonce-394726394026385629';"
</IfModule>

Hope this helps.

EstebanBustamante

Accepted solution

Community Advisor and Adobe Champion

Hi

Each message provides you with the information needed to address every issue raised by your Content Security Policy (CSP). The reality is that this is a tune-up process, as it can be challenging to get the CSP working perfectly all at once— at least, that's my perspective. My recommendation is to use a Chrome extension to directly inject the CSP header into your browser (https://chromewebstore.google.com/detail/empty-title/idgpnmonknjnojddfkpgkljpfnnfcklj). This way, you can fine-tune it more quickly and safely, leading to a fully functional CSP.

From what I can see, your CSP should already address some of those issues. However, it appears that you are missing a closing quote and a semicolon, suggesting that your CSP may not be working as expected. Please validate it once with the tool I mentioned above:

<IfModule mod_headers.c>
    Header add X-Vhost "lorem"
    Header set Content-Security-Policy 
        "default-src 'self'; 
        form-action 'none'; 
        script-src 'self' 'unsafe-eval' 'unsafe-hashes' https://cdn-apac.onetrust.com https://www.google.com https://assets.adobedtm.com https://www.googletagmanager.com https://www.gstatic.com https://www.youtube.com 'nonce-394726394026385629';"
</IfModule>

Hope this helps.

Esteban Bustamante

kautuk_sahni

Community Manager

@mahesh_tesla Did you find the suggestions from users helpful? Please let us know if more information is required. Otherwise, please mark the answer as correct for posterity. If you have found out solution yourself, please share it with the community.

Kautuk Sahni

Sign up

Login with SSO

Login to the community

Login with SSO

Scanning file for viruses.

This file cannot be downloaded