Refused to execute inline script because it violates the following Content Security Policy directive: "default-src 'self' *.WHOLE_ORG". Either the 'unsafe-inline' keyword, a hash ('sha256-SOMEHASH'), or a nonce ('nonce-...') is required to enable inline execution. Note also that 'script-src' was not explicitly set, so 'default-src' is used as a fallback.
Reproduction steps
Configure CSP in the API Management resource to enabled or report only
Go to an API in the api portal that has implicit auth configured
Call the implicit auth
See it authenticating, but not calling back to the portal
Expected behavior
Should allow calls
Is your portal managed or self-hosted?
Self-hosted
Release tag or commit SHA (if using self-hosted version)
Bug description
CSP will violate on self-hosted, because it cannot run a script that calls back to the portal page.
In a self-hosted setup, you have:
A console message looks something like this:
Reproduction steps
Expected behavior
Should allow calls
Is your portal managed or self-hosted?
Self-hosted
Release tag or commit SHA (if using self-hosted version)
Latest