2

I'm getting following error

Content Security Policy: The page’s settings observed the loading of a resource at self (“script-src https://api.login.yahoo.com  'unsafe-eval' https://*.yimg.com https://query.yahoo.com https://*.query.yahoo.com https://y.analytics.yahoo.com https://jsapi.login.yahoo.com https://fc.yahoo.com https://pr.comet.yahoo.com 'nonce-gT7EHsVyiyEgB2SwM6hLa7d2U1Q4mbpBxnCD7dLqtN/koiEp'”). A CSP report is being sent.
onclick attribute on BUTTON element

When I send get request to following link, Im basically opening following link in current browser tab. After logging in from yahoo I got above error. 

https://api.login.yahoo.com/oauth2/request_auth?client_id=dj0yJmk9UDEzR0kxRzd3bHdIJmQ9WVdrOVpFdzFURmgyTkhVbWNHbzlNQS0tJnM9Y29uc3VtZXJzZWNyZXQmeD0yNw--&redirect_uri="mySite.com"&response_type=token&language=en-us

For details check this image

adnan yaqoob
  • 21
  • 2
  • Did you try to load a javascript file from a host other than the ones mentioned in the CSP directive, or did you try to execute some inline JS? What are you doing before the error shows up? – Matthias Knoll Jan 24 '17 at 06:17
  • @MatthiasKnoll I'm not using any CSP directive, yes i'm using following inline js. On click of above "Home" button yahoo login page opens. "buildAuthUrl" function returns yahoo oauth url along with parameters. I'm not doing anything before the error. I just click on home button give credentials and that's it. – adnan yaqoob Jan 24 '17 at 08:03
  • Do you host the home button on your own domain or are you injecting it into the yahoo page? I was more thinking that yahoo is returning a CSP header. Have a look at the very first response in the network tab and inspect the response headers. Do they include `Content-Security-Policy`? – Matthias Knoll Jan 24 '17 at 21:05
  • Home button is on my domain, first response in network has content-security-policy-report-only, contents of which are the error i'm facing. It does not have any content-security-policy separately. – adnan yaqoob Jan 25 '17 at 10:03
  • It is probably something to do with the script you are embedding. Hard to say for sure from here. However, since it is report only it probably doesn't cause any issues for you right? – Matthias Knoll Jan 26 '17 at 00:47
  • I encountered similar problem from Google Plus button: Content Security Policy: The page's settings observed the loading of a resource at inline ("script-src"). A CSP report is being sent – GoYun.Info Nov 23 '18 at 15:12

0 Answers0