In order to add the nonce attribute to the Custom HTML scripts, it must be first defined as a GTM variable: Add id=”gtmScript” to the nonce-aware version of GTM snippet – this will be used to target the element and capture nonce. <script id=”gtmScript” nonce=”{GENERATED_NONCE}”> // GTM function </script> In GTM, create a new variable … Read more
By default Content Security Policy, inline scripts won’t be loaded and only local script can be loaded. You could relax the default policy by: Inline Script. Take a look at Official Guide, inline scripts can be whitelisted by specifying the base64-encoded hash of the source code in the policy. See Hash usage for elements for … Read more
Unfortunately, there aren’t many ways around this. Resources require either whitelisting (in the case of remote resources, like this one) or inlining tricks (i.e. nonce or sha256-…) when CSP is active. At the end of the day, though, CSP can probably still make your site safer and protect most resources. Depending on what you are … Read more
Try replacing this part: img-src * ‘self’ data: https:; So the complete tag: <meta http-equiv=”Content-Security-Policy” content=”default-src *; img-src * ‘self’ data: https:; script-src ‘self’ ‘unsafe-inline’ ‘unsafe-eval’ *; style-src ‘self’ ‘unsafe-inline’ *”> Content Security Policy Reference
You can’t. CSP is there to restrict content on your website, not to loosen browser restrictions. Secure https sites given users certain guarantees and it’s not really fair to then allow http content to be loaded over it (hence the mixed content warnings) and really not fair if you could hide these warnings without your … Read more
Check this link, it says: Inline JavaScript will not be executed. This restriction bans both inline <script> blocks and inline event handlers (e.g. button onclick=”…”). To avoid cross-site scripting issues like below specified one.app#/home:1 Refused to execute inline event handler because it violates the following Content Security Policy directive: “script-src ‘self’ ‘nonce-d452460d-e219-a6e5-5709-c8af6ca82889’ chrome-extension: ‘unsafe-inline’ ‘unsafe-eval’ … Read more
According to the grammar in the CSP spec, you need to specify schemes as scheme:, not just scheme. So, you need to change the image source directive to: img-src ‘self’ data:;
For recent versions of Chrome (46+), the previously accepted answer is no longer true. unsafe-inline still has no effect (in the manifest and in meta header tags), but per the documentation, you can use the technique described here to relax the restriction. Hash usage for <script> elements The script-src directive lets developers whitelist a particular … Read more
In a Chrome extension, external script sources must be explicitly allowed by the extension’s content security policy (CSP) in your manifest: If you have a need for some external JavaScript or object resources, you can relax the policy to a limited extent by whitelisting secure origins from which scripts should be accepted… A relaxed policy … Read more
For people who still want an even more permissive posts, because the other answers were just not permissive enough, and they must work with google chrome for which * is just not enough: default-src * data: blob: filesystem: about: ws: wss: ‘unsafe-inline’ ‘unsafe-eval’ ‘unsafe-dynamic’; script-src * data: blob: ‘unsafe-inline’ ‘unsafe-eval’; connect-src * data: blob: ‘unsafe-inline’; … Read more