Expand my Community achievements bar.

Dive into Adobe Summit 2024! Explore curated list of AEM sessions & labs, register, connect with experts, ask questions, engage, and share insights. Don't miss the excitement.
SOLVED

Resolving Content Security Policy (CSP) Console Errors

Avatar

Level 2

Snippet of our CSP configuration

 

<IfModule mod_headers.c>
    Header add X-Vhost "lorem"
    Header set Content-Security-Policy 
        "default-src 'self'; 
        form-action 'none'; 
        script-src 'self' 'unsafe-eval' 'unsafe-hashes' https://cdn-apac.onetrust.com https://www.google.com https://assets.adobedtm.com https://www.googletagmanager.com https://www.gstatic.com https://www.youtube.com 'nonce-394726394026385629'; 
</IfModule>

 

 

We have added nonce to all <Script> tags. However, We are getting below console errors(I have added screenshots as well)

  1. [Report Only] Refused to load the script '<URL>' because it violates the following Content Security Policy directive: "script-src 'unsafe-eval' 'unsafe-hashes' 'unsafe-inline' 'self'". Note that 'script-src-elem' was not explicitly set, so 'script-src' is used as a fallback.
  2. [Report Only] Refused to connect to '<URL>' because it violates the following Content Security Policy directive: "default-src 'self' 'unsafe-eval' 'unsafe-hashes' 'unsafe-inline' data: blob: *.gstatic.com". Note that 'connect-src' was not explicitly set, so 'default-src' is used as a fallback.
  3. The Content-Security-Policy directive 'form-action' contains the keyword 'none' alongside with other source expressions. The keyword 'none' must be the only source expression in the directive value, otherwise it is ignored.
  4. erforme-Rosse-The-his-is-Birthe-Doct-The-vs-must:1 Refused to execute inline script because it violates the following Content Security Policy directive: "script-src 'self' 'unsafe-eval' 'unsafe-hashes' https://cdn-apac.onetrust.com https://www.google.com https://assets.adobedtm.com https://www.googletagmanager.com https://www.gstatic.com https://www.youtube.com 'nonce-394726394026385629'". Either the 'unsafe-inline' keyword, a hash ('sha256-d+XiDBXqrAQI7R8KVX9uRAtkHJWNmURyG9QF6TM0bz8='), or a nonce ('nonce-...') is required to enable inline execution.
  5. erforme-Rosse-The-his-is-Birthe-Doct-The-vs-must:1 Refused to execute inline script because it violates the following Content Security Policy directive: "script-src 'self' 'unsafe-eval' 'unsafe-hashes' https://cdn-apac.onetrust.com https://www.google.com https://assets.adobedtm.com https://www.googletagmanager.com https://www.gstatic.com https://www.youtube.com 'nonce-3947263940126385629'". Either the 'unsafe-inline' keyword, a hash ('sha256-d+XiDBXqrAQI7R8KVX9uRAtkHJWNmURyG9QF6TM0bz8='), or a nonce ('nonce-...') is required to enable inline execution.
  6. Refused to run the JavaScript URL because it violates the following Content Security Policy directive: "script-src 'self' 'unsafe-eval' 'unsafe-hashes' https://cdn-apac.onetrust.com https://www.google.com https://assets.adobedtm.com https://www.googletagmanager.com https://www.gstatic.com https://www.youtube.com 'nonce-3947263940126385629'". Either the 'unsafe-inline' keyword, a hash ('sha256-...'), or a nonce ('nonce-...') is required to enable inline execution.
  7. csrf.lc-a9dcac4698709ca8e1cbc88363cf0793-lc.js:300 [Report Only] Refused to frame 'https://www.google.com/' because it violates the following Content Security Policy directive: "default-src 'self' data: blob: *.gstatic.com". Note that 'frame-src' was not explicitly set, so 'default-src' is used as a fallback.
  8. [Report Only] Refused to frame 'https://www.google.com/' because it violates the following Content Security Policy directive: "default-src 'self' data: blob: *.gstatic.com". Note that 'frame-src' was not explicitly set, so 'default-src' is used as a fallback.
  9. [Report Only] Refused to frame 'https://www.google.com/' because it violates the following Content Security Policy directive: "default-src 'self' data: blob: *.gstatic.com". Note that 'frame-src' was not explicitly set, so 'default-src' is used as a fallback.
  10. [Report Only] Refused to frame 'https://www.google.com/' because it violates the following Content Security Policy directive: "default-src 'self' data: blob: *.gstatic.com". Note that 'frame-src' was not explicitly set, so 'default-src' is used as a fallback.

 

mahesh_tesla_3-1701931722198.png

 

mahesh_tesla_4-1701931740366.png

 

 

Kindly please help me to clear console errors. Thanks 


1 Accepted Solution

Avatar

Correct answer by
Community Advisor

Hi 

 

Each message provides you with the information needed to address every issue raised by your Content Security Policy (CSP). The reality is that this is a tune-up process, as it can be challenging to get the CSP working perfectly all at once— at least, that's my perspective. My recommendation is to use a Chrome extension to directly inject the CSP header into your browser (https://chromewebstore.google.com/detail/empty-title/idgpnmonknjnojddfkpgkljpfnnfcklj). This way, you can fine-tune it more quickly and safely, leading to a fully functional CSP.

From what I can see, your CSP should already address some of those issues. However, it appears that you are missing a closing quote and a semicolon, suggesting that your CSP may not be working as expected. Please validate it once with the tool I mentioned above:

<IfModule mod_headers.c>
    Header add X-Vhost "lorem"
    Header set Content-Security-Policy 
        "default-src 'self'; 
        form-action 'none'; 
        script-src 'self' 'unsafe-eval' 'unsafe-hashes' https://cdn-apac.onetrust.com https://www.google.com https://assets.adobedtm.com https://www.googletagmanager.com https://www.gstatic.com https://www.youtube.com 'nonce-394726394026385629';"
</IfModule>

 

Hope this helps.



Esteban Bustamante

View solution in original post

2 Replies

Avatar

Correct answer by
Community Advisor

Hi 

 

Each message provides you with the information needed to address every issue raised by your Content Security Policy (CSP). The reality is that this is a tune-up process, as it can be challenging to get the CSP working perfectly all at once— at least, that's my perspective. My recommendation is to use a Chrome extension to directly inject the CSP header into your browser (https://chromewebstore.google.com/detail/empty-title/idgpnmonknjnojddfkpgkljpfnnfcklj). This way, you can fine-tune it more quickly and safely, leading to a fully functional CSP.

From what I can see, your CSP should already address some of those issues. However, it appears that you are missing a closing quote and a semicolon, suggesting that your CSP may not be working as expected. Please validate it once with the tool I mentioned above:

<IfModule mod_headers.c>
    Header add X-Vhost "lorem"
    Header set Content-Security-Policy 
        "default-src 'self'; 
        form-action 'none'; 
        script-src 'self' 'unsafe-eval' 'unsafe-hashes' https://cdn-apac.onetrust.com https://www.google.com https://assets.adobedtm.com https://www.googletagmanager.com https://www.gstatic.com https://www.youtube.com 'nonce-394726394026385629';"
</IfModule>

 

Hope this helps.



Esteban Bustamante

Avatar

Administrator

@mahesh_tesla Did you find the suggestions from users helpful? Please let us know if more information is required. Otherwise, please mark the answer as correct for posterity. If you have found out solution yourself, please share it with the community.



Kautuk Sahni