0

Refused to load the script 'https://cdn.socket.io/4.5.4/socket.io.min.js' because it violates the following Content Security Policy directive: "script-src 'self'". Note that 'script-src-elem' was not explicitly set, so 'script

  <head>
    <title>Socket.IO chat</title>
    <meta http-equiv="Content-Security-Policy" content="script-src-elem 'self' https://cdn.socket.io; connect-src 'self' https://cdn.socket.io;">
  </head>

i did add this in the head of my html but in browser console it show me the above error.

i did also try this

  <head>
    <title>Socket.IO chat</title>
    <meta http-equiv="Content-Security-Policy" content="script-src 'self' https://cdn.socket.io; connect-src 'self' https://cdn.socket.io;">
  </head>

<!DOCTYPE html>
<html>
  <head>
    <title>Socket.IO chat</title>
    <meta http-equiv="Content-Security-Policy" content="script-src 'self' https://cdn.socket.io http://localhost:3000;">
  </head>
  <body>
    <ul id="messages"></ul>
    <form id="form" action="">
      <input id="input" autocomplete="off" /><button>Send</button>
    </form>
  </body>
  <script src="https://cdn.socket.io/4.5.4/socket.io.min.js"</script>
</html>

here is the full html for the example of socket.io

robel popandro
  • 1
  • 1

1 Answers1

0

The script import should be in the <script> </script> tag.

Script imports in HTML are a fine thing, StackExchange probably has the answer you are looking for: <script src="https://cdn.socket.io/socket.io-1.0.0.js"></script>

Question: "Socket.io client served from CDN" at Socket.io client served from CDN has an accepted answer.

First type of import, in HTLM

Here are the points to understand,

  1. <meta> </meta> is a tag has a good enough description at w3schools.com, if/when you need it - specify your content types with it. This socket.io script or/and import may not need it.
  2. JavaScript is application/text, without any meta tag in the header you will be able to just use the script tag. Maybe find the min/uglified version. To import socket.io from cdn, you need the <script> </script>

Use the script tag for JavaScript mins and others in HTML, likely index.html [but possibly index.js or some other .html, .js, .tx, .jxt, ...etc. ], stack.io will become accessible in other <script> </script> tags in your HTML page.

This way your React, Vue, Next, Gatsby, ...etc will find your socket.io if it can't somehow, this can reveal why you would not need the import in HTML for socket.io.

Don't nest script tags, not sure what this will be used for when supported.

Second type of import, from JavaScript

You can do this from inside the <script> </script> tag. Socker.io front page:

import { Server } from "socket.io";

<script type='module'>
import { Server } from "socket.io"; // or from something like: "https://cdnjs.cloudflare.com/ajax/libs/socket.io/4.4.1/socket.io.min.js"
</script>

package.json is to be used to get this to work, a static build vi a framework is going to include the socket.io source code.

In overall, you hit a security issue injecting a script into a meta tag.

Yevgeny Streltsov
  • 11
  • 2