Originally posted by **GonrasK** November 29, 2023
In addition to laravel-medialibrary I'm utilizing the spatie/laravel-csp package and adhering to a strict CSP configuration. The issue arises with the responsive images feature of the media library. The generated tags include an onload attribute containing inline JavaScript, which conflicts with my CSP settings -
```
$ curl -I https://mydomain.com
HTTP/2 200
date: Wed, 29 Nov 2023 17:57:06 GMT
content-type: text/html; charset=UTF-8
vary: Accept-Encoding
cache-control: no-cache, private
content-security-policy: base-uri 'self';connect-src 'self';default-src 'self';form-action 'self';img-src 'self';media-src 'self';object-src 'none';script-src 'self' 'unsafe-inline' 'nonce-1j6D7g7APhvTpPalGtMjj9sCuffDyo5t';style-src 'self' 'unsafe-inline'
```
The browser refuses to execute the inline script in the onload attribute, leading to CSP violation reports -
```
Refused to execute inline event handler because it violates the following Content Security Policy directive: "script-src 'self' 'unsafe-inline' 'nonce-67KaA7Fb3jdS9gqASwfUPPN8VaURL7Bp'". Note that 'unsafe-inline' is ignored if either a hash or nonce value is present in the source list
```
Ideally, I would like to avoid using 'unsafe-inline' in the script directive for security reasons.
Here's an example of an `` tag generated by the media library:
```
```
Could you please advise on a possible solution or workaround for this issue? Are there any configurations within the media library that I can leverage to either modify or remove the inline `onload` handler, or to make it compatible with a strict CSP implementation?
freekmurze
commented
11 months ago
Discussed in https://github.com/spatie/laravel-medialibrary/discussions/3452