apache 2 script-src permission issue in content security policy

142 Views Asked by Laurent Fourny At 20 October 2024 at 09:23

I need to implement a content security policy for a customer.

Everything works well except for the js scripts. I need to allow external js scripts.

Code in my vhost apache :

Header set X-Content-Type-Options: "nosniff" 
Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" 
Header set Content-Security-Policy "default-src 'self' https:// multiple domains ; img-src 'self' www.googletagmanager.com ; style-src 'self' 'unsafe-inline' ; script-src *  'self' 'unsafe-inline'; connect-src 'self' https://www.google-analytics.com https://www.googletagmanager.com/gtag/js ; object-src 'self'; form-action 'self' " 
Header set X-Frame-Options: "sameorigin" 
Header set X-XSS-Protection "1; mode=block"      
Options FollowSymLinks MultiViews 
AllowOverride All

I added:

script-src * 'self' 'unsafe-inline';

However, I still get an error message:

Refused to evaluate a string as JavaScript because 'unsafe-eval' is not an allowed source of script in the following Content Security Policy directive: "script-src 'self'.

What to do ?

Thanks in advance

Original Q&A

There are 1 best solutions below

Halvor Sakshaug On 09 October 2023 at 05:53

You basically have two options:

The good and safe option: Rewrite eval statements as explained here https://web.dev/csp/#eval-too
The bad and usafe option: Add 'unsafe-eval' to script-src

apache 2 script-src permission issue in content security policy

There are 1 best solutions below

Related Questions in JAVASCRIPT

Related Questions in APACHE

Related Questions in XSS

Related Questions in CONTENT-SECURITY-POLICY

Related Questions in SCRIPT-SRC

Trending Questions

Popular # Hahtags

Popular Questions