While experimenting, I recommend using the Script Console to adjust the CSP parameter dynamically as described on the Configuring Content Security Policy page. (There’s another note in the Jenkins wiki page that indicates you may need to Force Reload the page to see the new settings.) In order to use both inline styles and local … Read more
Not yet. In the same link you can read: Note: The attr() function can be used with any CSS property, but support for properties other than content is experimental, and support for the type-or-unit parameter is sparse. Still no browser support the attr() for properties different than content and also no support for the type-or-unit. … Read more
After seeing this exact same pattern in some of my applications, I finally got to the root of this! The weirdness we were seeing was that CSP reports were coming in for a hostname which was definitely in the script-src directive; and we know that script-src-elem is supposed to fall back to those directives. From … Read more
The CSP cannot cause the problem you’ve described. It’s very likely that you’re using JSONP instead of plain JSON. JSONP does not work in Chrome, because JSONP works by inserting a <script> tag in the document, whose src attribute is set to the URL of the webservice. This is disallowed by the CSP. Provided that … Read more
One of the consequences of “manifest_version”: 2 is that Content Security Policy is enabled by default. And Chrome developers chose to be strict about it and always disallow inline JavaScript code – only code placed in an external JavaScript file is allowed to execute (to prevent Cross-Site Scripting vulnerabilities in extensions). So instead of defining … Read more
You can turn off the CSP for your entire browser in Firefox by disabling security.csp.enable in the about:config menu. If you do this, you should use an entirely separate browser for testing. For example, install Firefox Developer Edition alongside your normal browser and use that for testing (and not normal Web use). As an alternative, … Read more
The nonce attribute lets you to “whitelist” certain inline script and style elements, while avoiding use of the CSP unsafe-inline directive (which would allow all inline script and style), so you still retain the key CSP feature of disallowing inline script/style in general. So the nonce attribute is way to tell browsers the inline contents … Read more
Let’s start with the easiest problem: Refused to execute inline script because … $(‘div’, this) selects all <div> elements within a <td>. In the source code you provided, the following event handler can be found: <div class=”smallfont”> <span style=”cursor:pointer” onclick=”window.open(‘member.php?u=47995’, ‘_self’)”>K4raMong</span> </div> By the default Content Security policy, this is forbidden. To get rid off … Read more
If you have CSP directives specified both in a Content-Security-Policy HTTP header and in a meta element, the browser uses the most-restrictive CSP directives, wherever specified. See the details on multiple polices at https://w3c.github.io/webappsec-csp/#multiple-policies and details on using the meta element at https://w3c.github.io/webappsec-csp/#meta-element: A policy specified via a meta element will be enforced along with … Read more
You have said you can only load scripts from your own site (self). You have then tried to load a script from another site (www.google.com) and, because you’ve restricted this, you can’t. That’s the whole point of Content Security Policy (CSP). You can change your first line to: <meta http-equiv=”Content-Security-Policy” content=”default-src *; style-src ‘self’ ‘unsafe-inline’; … Read more