[Community Edition] Inline script security error from google analytics script

[kfarr]

This error shows on console on a CE vanilla deployment:

3dstreet.club/:54 Refused to execute inline script because it violates the following Content Security Policy directive: "script-src 'sha256-vARSGAaZnRYvehlmZaZDRM9BKcw75XaQ3CfjZqo+6nM=' 'self' blob: 'sha256-/S6PM16MxkmUT7zJN2lkEKFgvXR7yL4Z8PCrRrFu4Q8=' 'sha256-MIpWPgYj31kCgSUFc0UwHGQrV87W6N5ozotqfxxQG0w=' 'sha256-ViVvpb0oYlPAp7R8ZLxlNI6rsf7E7oz8l1SgCIXgMvM=' 'sha256-buF6N8Z4p2PuaaeRUjm7mxBpPNf4XlCT9Fep83YabbM=' 'sha256-foB3G7vO68Ot8wctsG3OKBQ84ADKVinlnTg9/s93Ycs=' 'sha256-g0j42v3Wo/ohUAMR/t0EuObDSEkx1rZ3lv45fUaNmYs=' 'sha256-hsbRcgUBASABDq7qVGVTpbnWq/ns7B+ToTctZFJXYi8=' 'unsafe-eval' https://aframe.io https://cdn.jsdelivr.net/docsearch.js/1/docsearch.min.js https://s.ytimg.com https://ssl.google-analytics.com https://www.google-analytics.com https://www.youtube.com https://assets.3dstreet.club https://3dstreet.club". Either the 'unsafe-inline' keyword, a hash ('sha256-HdoAyVHHhir7+8DfZLbxtfYc9gLaWgaL6GwPs6mic0k='), or a nonce ('nonce-...') is required to enable inline execution.

The inline scripts are in the html files such as: https://github.com/mozilla/hubs/blob/master/src/index.html#L23 and https://github.com/mozilla/hubs/blob/master/src/hub.html#L22

A few possible solutions:

• Remove the inline scripts
• Move the inline scripts into the react js code
• Update content security policy to accept code from self