7

I tried adding nonce to SCRIPT_SRC, but CSP complains about adsbygoogle.js: refused to execute inline event handler because it violates the following Content Security Policy directive:

"script-src 'self' *.facebook.net *.facebook.com www.google.com www.gstatic.com 
google.com www.google-analytics.com adservice.google.com adservice.google.de 
pagead2.googlesyndication.com www.pagead2.googlesyndication.com 
https://pagead2.googlesyndication.com storage.googleapis.com 
googleads.g.doubleclick.net ajax.googleapis.com 'nonce-5MallQacNWY+qLLMd5hwAGRaJXReVK7U'". 

(anonymous) @ adsbygoogle.js:2887

It complains about line 2887 (I unminified adsbygoogle.js to see which line csp complains about).

I assume adding nonce will allow anything from the javascript file it is applied to, except unsafe-inline.

Is there another way to have google adsense play along with CSP or is adding 'unsafe-inline' the only option?

According to this stackoverflow answer https://stackoverflow.com/a/44867210/4496068 it won't work properly with CSP.

fremon
  • 105
  • 6
  • 7
    its 2018 and, is there a solutions for this problem ?. google is very strict on security AFAIK but this is unacceptable. cant use their adsense or analytics without loosening the site security. – Bhanuka Yd Jul 16 '18 at 05:55
  • 2021 - the problem still exists! It is the pagead2.googlesyndication.com ads being built on the fly. It appears to possibly be the iframe with an onload trigger. So hard to track down though. – Glenn J. Schworak Jan 09 '21 at 14:23
  • April 2021 still get these errors, so frustrating! – Michael Rogers Apr 07 '21 at 15:07

0 Answers0