I added the following to a web page:
<script type="text/javascript"> window.addEventListener("load", function () { window.location = "https://localhost:5002"; }); </script>
When I run the application I get the following error:
Refused to evaluate a string as JavaScript because 'unsafe-eval' is not an allowed source of script in the following Content Security Policy directive: "default-src 'self'"
When I remove the script I do not get the error anymore.
Any idea why this happens?
Advertisement
Answer
Your current CSP setting is:
"default-src 'self'"
which means that you can only execute your code from your root URL (localhost:5000).
You can try to extend this policy to the other URL you are using:
"default-src 'self' https://localhost:5002"
The CSP setting location depends on your web server. In case of Apache, this is set in file ‘.htaccess’.
P.S: ‘unsafe-eval’ doesn’t seem to be related to the listener you are adding, but you can try the above change anyway.