Skip to content

Tag: content-security-policy

Jinja2, JavaScript and CSP

I’ve been studying Flask and Jinja2 for a while now, and I notice that all the books and tutorials I’ve found put {% block js %} after {% block body %}. This appears to violate CSP which, as I understand it, dictates that all javascript code be in external files and that the <script> tags which include those files be

Content Security Policy: Should a CSP contain hashes for external scripts?

What I am unsure about I am wondering if the Content-Security-Policy header should/can contain hashes for external JavaScript files (aka, tags with a src attribute <script src=”foo.js”></script>). What I have tried In Chromium based browsers and Mozilla Firefox, my external scripts are blocked, even when including all of those scripts’ hashes in the Content-Security-Policy header: I have also tried My

CSP issues with javascript and css – password visibility toggle

I am currently working on some frontend development on a server. However when I try to add inline css and javascript for my password visibility toggle I keep getting the same CSP errors in google chrome. Refused to execute inline script because it violates the following Content Security Policy directive: “script-src ‘self’ ‘unsafe-eval’ The code I have tried :

Jquery +datatables causing CSP errors for inline style

I have been trying to get rid of the unsafe-inline from the CSP style-src headers as it is vulnerable. While removing this, I am getting below errors in jQuery execution in chrome: Refused to apply inline style because it violates the following Content Security Policy directive: “style-src ‘self’ ‘nonce-TXYxR0tlamZ1emk2a3Y4RHFwdTdTZ0JaR1R2TTdEaUk=’ ‘unsafe-eval’ “. Either the ‘unsafe-inline’ keyword, a hash (‘sha256-Z0MkpGRk0/9QW+7eJ/G1D//1i6WKVbat+HlIwkiFln4=’), or a

Helmet Content Security Policy Global Path not working

I am using Helmet to set up the content security policies of my web app in the backend using Express. The policies look like the following: When my app tries to access a link such as It says that it violates the styleSrc policy. But I have specified as one of the policies that is allowed, I thought

This document requires ‘TrustedScriptURL’ assignment

After adding require-trusted-types-for ‘script’; in my Content-Security-Policy header, which introduced from Chrome 83 Beta to help lock down DOM XSS injection sinks, when I open my website, it becomes a blank page. I got many these three kinds of errors in my console. (Chrome version 83.0.4103.61) This document requires ‘TrustedScript’ assignment. This document requires ‘TrustedScriptURL’ assignment. TypeError: Failed to set