Security Policy errors with Automator running JavaScript with Safari

Question

I'm using the following Automator script:

on run {input, parameters}
    set updateCount to 0
    read (item 1 of input)
    set ps to paragraphs of the result
    set tot to count ps
    set TLFile to (("Users:Admin:Desktop:") as text) & "titleList.txt"
    set TLLines to paragraphs of (read file TLFile as «class utf8»)
    set descFile to (("Users:Admin:Desktop:") as text) & "descList.txt"
    set DescLines to paragraphs of (read file descFile as «class utf8»)
    tell application "Safari"
        reopen
        activate
    end tell
    repeat with i from 1 to tot
        set p to item i of ps
        if p is not "" then
            try
                tell application "Safari"
                    tell front window
                        set r to make new tab with properties {URL:p}
                        set current tab to r
                        set titleVal to item i of TLLines
                        set descVal to item i of DescLines
                        set updateCount to updateCount + 1
                        do shell script "echo The value: " & updateCount
                        delay 12
                        do JavaScript "document.getElementsByName('title')[0].value = '" & titleVal & "'; document.getElementsByName('description')[1].value = '" & descVal & "'; 
                                      document.getElementsByClassName('save-changes-button')[0].removeAttribute('disabled');
                                      document.getElementsByClassName('save-changes-button')[0].click();" in current tab
                        delay 4
                        close current tab
                        if updateCount is equal to 10 then
                            say "hi"
                            set updateCount to 0
                            delay 90
                        end if
                        if i = tot then exit repeat
                        repeat
                            delay 4
                            get URL of r
                        end repeat
                    end tell
                end tell
            end try
        end if
    end repeat
end run

I've been able to run this script with YouTube on Safari a few months ago without problems. Now it is not performing the JavaScript actions. Errors show up in Safari's inspector:

1. "The source list for Content Security Policy directive 'script-src' contains an invalid source: ''strict-dynamic''. It will be ignored. postmessageRelay:0"
2. "Refused to execute a script because its hash, its nonce, or 'unsafe-inline' does not appear in the script-src directive of the Content Security Policy."

How can I bypass these errors so my script can run?

Answer 1

As error #2 in the question indicates, the fix to make the policy work in Safari for now is to change it to specify either a hash or nonce for the relevant script — or else add 'unsafe-inline'.

In browsers that support 'strict-dynamic', the 'unsafe-inline' part will be ignored.

The cause of both errors is that Safari doesn’t yet support 'strict-dynamic'. See the following:

• https://bugs.webkit.org/show_bug.cgi?id=184031
• https://bugs.webkit.org/show_bug.cgi?id=175277

All that said, it’s not clear from the current information in the question where the CSP policy in force is actually specified. So unless you already know where that is, I guess the first step is to determine where the policy is specified, and change it there.