I need to implement a content security policy for a customer.
Everything works well except for the js scripts. I need to allow external js scripts.
Code in my vhost apache :
Header set X-Content-Type-Options: "nosniff"
Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"
Header set Content-Security-Policy "default-src 'self' https:// multiple domains ; img-src 'self' www.googletagmanager.com ; style-src 'self' 'unsafe-inline' ; script-src * 'self' 'unsafe-inline'; connect-src 'self' https://www.google-analytics.com https://www.googletagmanager.com/gtag/js ; object-src 'self'; form-action 'self' "
Header set X-Frame-Options: "sameorigin"
Header set X-XSS-Protection "1; mode=block"
Options FollowSymLinks MultiViews
AllowOverride All
I added:
script-src * 'self' 'unsafe-inline';
However, I still get an error message:
Refused to evaluate a string as JavaScript because 'unsafe-eval' is not an allowed source of script in the following Content Security Policy directive: "script-src 'self'.
What to do ?
Thanks in advance
You basically have two options: