2

I have something like this in a meta tag in my pug. I have a ton 2 3 CDN in my File.

 meta(http-equiv='Content-Security-Policy' content="default-src * 'unsafe-inline' 'unsafe-eval'; script-src-elem * 'unsafe-inline';"  )

I get an error something like this although I have defined the script-src-elem.

Refused to load the script '<URL>' because it violates the following Content Security Policy directive: "script-src 'self'". Note that 'script-src-elem' was not explicitly set, so 'script-src' is used as a fallback. I would really appreciate your help. Thank you in Advance

sideshowbarker
  • 81,827
  • 26
  • 193
  • 197
Sulav Dahal
  • 129
  • 3
  • 10

2 Answers2

4

Let me guess. You use PUG linked with Express. In the Express you use Helmet security middleware.

The point is that Helmet 4 publishes CSPs by default via an HTTP header, and script-src 'self' is a fragment of this Helmet's default CSP.

Since you have one CSP published, you can't relax it using a meta tag. In case of 2 CSPS published all sources should pass unscratched through both CSPs. Therefore your script-src-elem * 'unsafe-inline' from meta tag does not trigger violation, but script src 'self' from the CSP HTTP header - does rise it.
You have to remove meta tag and configute Helmet via helmet.contentSecurityPolicy(options). Or disable CSP in Helmet and use a meta tag:

app.use(
  helmet({
    contentSecurityPolicy: false,
  })
);
granty
  • 7,234
  • 1
  • 14
  • 21
0

Seems like your browser does no support this directive.

The Message you get is explained on MDN script-src-elem

If script-src-elem is absent, User Agent falls back to the script-src directive, and if that is absent as well, to default-src.

And by the way:

specifies valid sources for JavaScript elements, but not inline script event handlers like onclick

tom
  • 9,550
  • 6
  • 30
  • 49