61

I keep getting this error:

Refused to execute inline script because it violates the following Content Security Policy directive: "default-src 'self' data: gap: http://www.visitsingapore.com https://ssl.gstatic.com 'unsafe-eval'". Either the 'unsafe-inline' keyword, a hash ('sha256-V+/U3qbjHKP0SaNQhMwYNm62gfWX4QHwPJ7We1PXokI='), or a nonce ('nonce-...') is required to enable inline execution. Note also that 'script-src' was not explicitly set, so 'default-src' is used as a fallback.

Can anyone tell me how to solve this and what does it mean? My code is:

<meta http-equiv="Content-Security-Policy" content="default-src 'self' data:gap: http://www.visitsingapore.com   https://ssl.gstatic.com 'unsafe-eval'; style-src 'self' 'unsafe-inline'; media-src *">
<meta http-equiv="content-type" content="text/html; charset=UTF-8" />
<link rel="stylesheet" type="text/css" href="css/index.css">
<link rel="stylesheet" href="css/jquery.mobile-1.4.5.css">
<script src="lib/jquery-3.2.1.min.js"></script>

<script type="text/javascript" src="scripts/key.js"></script>
<script>$.ajax({
        url: ' http://www.visitsingapore.com/api.listing.en.json',
        type: 'GET',
        beforeSend: function (xhr) {
            xhr.setRequestHeader('email ID', '[email protected]');
            xhr.setRequestHeader('token ID', '-------');
        },
        data: {},
        success: function (qwe12) {
            var TrueResult2 = JSON.stringify(qwe12);
            document.write(TrueResult2);
        },
        error: function () { },
    });</script>
Improve this question
1
  • Is this a browser specific error? or: is this a webkit specific security 'feature' ? Commented Mar 2, 2021 at 10:21

3 Answers 3

Reset to default
46

The best way to fix this would be to take that $.ajax(…) call out of the document and move it into an external file called ajax-call.js, and then do the following:

<script src="ajax-call.js"></script>

The reason that’s better is, if you’re already going to the effort of setting a CSP policy for your document, then you should ideally go to the additional effort of removing all inline scripts.

But if for some reason you really need to keep the script inline in the document, you can change that meta element so the exact sha256 hash value from the error message is included as a source for the script-src directive, like this (with some line breaks added just for readability):

<meta http-equiv="Content-Security-Policy"
  content="default-src 'self' data:gap: http://www.visitsingapore.com 
  https://ssl.gstatic.com 'unsafe-eval';
  style-src 'self' 'unsafe-inline';
  media-src *;
  script-src 'sha256-V+/U3qbjHKP0SaNQhMwYNm62gfWX4QHwPJ7We1PXokI='
">

And the following are a couple places to get a bit more information:

Improve this answer
Sign up to request clarification or add additional context in comments.

3 Comments

I tried to make an effort to create a new js file and put the tag in the html file <script type="text/javascript" src="scripts/ajax-call.js"></script> but i have got another error "XMLHttpRequest cannot load visitsingapore.com/api.listing.en.json. No 'Access-Control-Allow-Origin' header is present on the requested resource. Origin 'localhost:4400' is therefore not allowed access." what does this means?
It means the problem described in the question is solved. But you have an additional completely infrared problem than the one you describe in the question and that's answered here. So you should post a new question about the additional unrelated problem
@sideshowbarker Adding the sha256 hash value from the error worked for me, thank you
0

It happens because of your CSP that does not allow inline scripts. You can read more about how it works and how to allow it here:

https://content-security-policy.com/examples/allow-inline-script/

I got a similar error after enabling client-side monitoring for Azure App Service with Application Insights.

Refused to execute inline script because it violates the following Content Security Policy directive: "default-src 'self'". Either the 'unsafe-inline' keyword, a hash ('sha256-...'), or a nonce ('nonce-...') is required to enable inline execution. Note also that 'script-src' was not explicitly set, so 'default-src' is used as a fallback.

Got it working again by disabling client-side monitoring by setting APPINSIGHTS_JAVASCRIPT_ENABLED to false.

enter image description here

https://learn.microsoft.com/en-us/azure/azure-monitor/app/codeless-app-service?tabs=net#enable-client-side-monitoring

Improve this answer

Comments

-1

In my case this is happen due to plugin,Plugin trying to execute some operation in website and website blocking it. Issue is with BlazeMeter chrome plugin.

So just remove plugins and then try again. Or Check with another browser.

Improve this answer

1 Comment

This does not really answer the question. If you have a different question, you can ask it by clicking Ask Question. To get notified when this question gets new answers, you can follow this question. Once you have enough reputation, you can also add a bounty to draw more attention to this question. - From Review

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.