Preface: Hashes belonging to all known or identifiable Javascripts have been included in the CSP Header.
When I click on the custom Facebook share button, I get the following error:
Refused to execute inline event handler because it violates the following Content Security Policy directive: "script-src..."
From within the browser console I see that the error refers to a generic <! DOCTYPE html> X which is in the HTML page where external Javascripts are called.
It looks like the called inline event handler is nested within a Javascript (this Javascript has its own hash in the CSP header and it is called from the HTML page bentioned above):
INLINE EVENT HANDLER:
var s = new Array('"#" onclick="window.open(\'//www.facebook.com/sharer/sharer.php?u=' + u + '\', \'_blank\', \'scrollbars=0, resizable=1, menubar=0, left=100, top=100, width=550, height=440, toolbar=0, status=0\');return false" title="share on example"');
var l = "";
for (j = 0; j < s.length; j++) l += '<a rel="noopener noreferrer" style="display:inline-block;vertical-align:bottom;width:32px;height:32px;margin: 10px 10px 10px 10px;padding:0;outline:none;background:url(' + f + fn + ") -" + 32 * j + 'px 0 no-repeat" href=' + s[j] + ' target="_blank"></a>';
e[k].innerHTML = '< span id="share" >' + l + "< /span >";
The event handler should open a new browser's window but it fails generating the error in the subject. However, it opens a new browser's tab reloading the same page (it does not open facebook.com).
If I disable the CSP in the header, everything works fine.
Unfortunately, I am unable to identify the exact inline event handler for generating the correct hash.
Is there any effective debugging tool or technic for tracing the precise code which is triggering the error, or any other way to resolve this issue?
