I added the following to a web page:
JavaScript
x
6
1
<script type="text/javascript">
2
window.addEventListener("load", function () {
3
window.location = "https://localhost:5002";
4
});
5
</script>
6
When I run the application I get the following error:
JavaScript
1
2
1
Refused to evaluate a string as JavaScript because 'unsafe-eval' is not an allowed source of script in the following Content Security Policy directive: "default-src 'self'"
2
When I remove the script I do not get the error anymore.
Any idea why this happens?
Advertisement
Answer
Your current CSP setting is:
JavaScript
1
2
1
"default-src 'self'"
2
which means that you can only execute your code from your root URL (localhost:5000).
You can try to extend this policy to the other URL you are using:
JavaScript
1
2
1
"default-src 'self' https://localhost:5002"
2
The CSP setting location depends on your web server. In case of Apache, this is set in file ‘.htaccess’.
P.S: ‘unsafe-eval’ doesn’t seem to be related to the listener you are adding, but you can try the above change anyway.