Closed bannarisoftwares closed 2 years ago
Hi @bannarisoftwares, Thanks for opening an issue.
The default content security policy of the sample will block external scripts from being run by the browser. This is why you have received this error.
The content security policy is added by a CloudFront response headers policy included in the template. You can update this policy in https://github.com/aws-samples/amazon-cloudfront-secure-static-site/blob/77d1971b6f1a22ef0bb5f5df5550ca507f727672/templates/cloudfront-site.yaml#L146
Specifically, I think you will need to add a new entry to the script-src
or script-src-elem
directive. script-src
Hi, Connor! Could this person do something like: ContentSecurityPolicy: "default-src 'none'; img-src 'self'; script-src 'self' https://cdnjs.cloudflare.com; style-src 'self'; object-src 'none'"
or, do you think that they should include the entire URL like: ContentSecurityPolicy: "default-src 'none'; img-src 'self'; script-src 'self' https://cdnjs.cloudflare.com/ajax/libs/react-dom/17.0.2/umd/react-dom.production.min.js; style-src 'self'; object-src 'none'"
? Thanks!
This page shows examples of allowed values.
Only the domain is specified in a Content Security Policy, rather than a whole URL (including the path).
So in your example script-src 'self' https://cdnjs.cloudflare.com/;
is correct
Thanks @ConnorKirk ... Very thanks...
Getting this error while deploying React app
Refused to load the script 'https://cdnjs.cloudflare.com/ajax/libs/react-dom/17.0.2/umd/react-dom.production.min.js' because it violates the following Content Security Policy directive: "script-src 'self'". Note that 'script-src-elem' was not explicitly set, so 'script-src' is used as a fallback.