Closed urfusion closed 4 years ago
Hi @urfusion,
Could you provide which script was blocked by CSP and which browser are you using?
Hi @bepsvpt ,
There are multiple errors
<!-- Facebook Pixel Code -->
<script>
!function (f, b, e, v, n, t, s)
{
if (f.fbq)
return;
n = f.fbq = function () {
n.callMethod ?
n.callMethod.apply(n, arguments) : n.queue.push(arguments)
};
if (!f._fbq)
f._fbq = n;
n.push = n;
n.loaded = !0;
n.version = '2.0';
n.queue = [];
t = b.createElement(e);
t.async = !0;
t.src = v;
s = b.getElementsByTagName(e)[0];
s.parentNode.insertBefore(t, s)
}(window, document, 'script',
'https://connect.facebook.net/en_US/fbevents.js');
fbq('init', '1585');
fbq('track', 'PageView');
</script>
and
<script>
function book_clickHandler(event) {
document.getElementById('action').value = 'book';
document.getElementById('theForm').submit();
}
</script>
and
<script>
$(window).on('load',function() {
var vid = document.getElementById("Homevideo");
vid.pause();
vid.play();
});
</script>
All the inline scripts getting this error.
Could you use browser developer tool to check the actual CSP header that browse received?
I am getting errors like this in mozila console.
Sorry for confusing. Could you provide the CSP header value like the following screenshot?
the main url CSP is
default-src; base-uri 'none'; connect-src 'self' https://staging.domain.com:8443/socket.io/ wss://staging.domain.com:8443/socket.io/; font-src 'self' data: https:; form-action 'self'; frame-ancestors 'none'; frame-src 'self' https:; img-src 'self' https://www.facebook.com/tr?id=15252&ev=PageView&noscript=1 data: https:; media-src 'self' https://player.vimeo.com/external/236428774.hd.mp4?s=645fbf379b8ee6c4312e1b3aae5a85fa8cc3ddf0&profile_id=174 https://vod-progressive.akamaized.net/exp=1581614269~acl=%2A%2F841967436.mp4%2A~hmac=5bff94ff9fe1a8b2c86b3de3597db625596924afef0a5e47ec6851a1030e9e30/vimeo-prod-skyfire-std-us/01/2285/9/236428774/841967436.mp4; object-src 'none'; plugin-types application/x-shockwave-flash; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://maps.googleapis.com/maps/api/js?key=AIzaSyB9tsdaqE0M-sjdRS4a2sBTwkbUsMqahnkaIs https://www.google.com/recaptcha/api.js https://cdn-cgi/scripts/5c5dd728/cloudflare-static/email-decode.min.js https://cdnjs.cloudflare.com/ajax/libs/jquery-validate/1.19.0/jquery.validate.js https://maps.googleapis.com/maps-api-v3/api/js/39/10/common.js https://maps.googleapis.com/maps-api-v3/api/js/39/10/util.js https://cdnjs.cloudflare.com/ajax/libs/gsap/1.18.0/TweenMax.min.js https://cdnjs.cloudflare.com/ajax/libs/jquery-validate/1.19.0/additional-methods.js https://cdnjs.cloudflare.com/ajax/libs/ScrollMagic/2.0.5/ScrollMagic.min.js https://cdnjs.cloudflare.com/ajax/libs/ScrollMagic/2.0.5/plugins/animation.gsap.min.js https://cdnjs.cloudflare.com/ajax/libs/ScrollMagic/2.0.5/plugins/debug.addIndicators.min.js https://www.gstatic.com/recaptcha/releases/vJuUWXolyYJx1oqUVmpPuryQ/recaptcha__en.js https://maps.googleapis.com/maps/api/js/AuthenticationService.Authenticate?1shttps%3A%2F%2Fstaging.domain.com%2F&4sAIzaSyB9tqE0M-sjdRS4a2sBTwkbUsMqahnkaIs&callback=_xdc_._wl020o&key=AIzaSyB9tqE0M-sjdRS4a2sBTwkbUsMqahnkaIs&token=85722 https://connect.facebook.net/en_US/fbevents.js 'nonce-b447920613e8f5668d835282ab2ffee4' https:; style-src 'self' 'unsafe-inline' https://fonts.googleapis.com/ https://fonts.googleapis.com/css?family=Biryani:200,300,400,500,600,700 https://cdnjs.cloudflare.com/ajax/libs/bootstrap-datetimepicker/4.15.35/css/bootstrap-datetimepicker.min.css https:; worker-src 'none'; upgrade-insecure-requests
According to https://csp-evaluator.withgoogle.com
unsafe-inline is ignored if a nonce or a hash is present. (CSP2 and above)
Please set add-generated-nonce
to false
and try again.
Cool. Working now. Thanks.
Thanks for reporting this issue, I will add related information to document.
I am continually getting below error
Below is my file