nunjuncks not rendering because of Content-Security-Policy

Question

The error:

Uncaught Template render error: (result.html)
  EvalError: Refused to evaluate a string as JavaScript because 'unsafe-eval' is not an allowed source of script in the following Content Security Policy directive: "default-src *".

The nginx config:

[..]
more_set_headers   "Content-Security-Policy:
                default-src * 'unsafe-eval' 'unsave-inline';
                script-src 'self' 'unsafe-inline' 'unsafe-eval' 'unsafe-inline' https://cdn.raygun.io https://cdn.segment.com https://platform.instagram.com https://www.google-analytics.com https://cdn.mxpnl.com https://maxcdn.bootstrapcdn.com;
                connect-src 'self'  https://api.raygun.io https://api.parse.com https://api.segment.io https://api.mixpanel.com;
                img-src 'self' data: https://*.amazonaws.com https://www.google-analytics.com https://*.akamaihd.net https://www.google.com https://*.licdn.com;
                style-src 'self' 'unsafe-inline' https://fonts.googleapis.com https://maxcdn.bootstrapcdn.com;
                font-src 'self' https://fonts.gstatic.com https://maxcdn.bootstrapcdn.com;
                frame-src https://instagram.com";
[..]

The issue:

It looks like the Content-Security-Policy set in nginx config is not applied. I checked the headers returned from the server and they are set properly (including unsafe-inline and unsafe-eval).

The question:

Help? or in more detail: What else do I have to do to make Chrome render my nunjuncks templates?

I am looking for a solution that works server side (no Chrome plugin).

score 0 · Answer 1 · answered Jun 07 '16 at 05:56

0

I missed

<meta http-equiv="Content-Security-Policy" content="default-src *">

in the template, grrrr!

answered Jun 07 '16 at 05:56

kev

8,928
14
61
103

nunjuncks not rendering because of Content-Security-Policy

1 Answers1