I have a bootstrap site that uses jQuery v3.4.0 (3.3.x had same problem). Header from the site with content security policy looks like this:

HTTP/1.0 200 OK
Content-Type: text/html; charset=utf-8
Content-Length: 2275
X-Frame-Options: SAMEORIGIN
X-XSS-Protection: 1; mode=block
X-Content-Type-Options: nosniff
Content-Security-Policy: default-src 'self'; img-src 'self' data: image/png; style-src 'self' 'sha256-47DEQpj8HBSa+/TImW+5JCeuQeRkm5NMpJWZG3hSuFU='
X-Content-Security-Policy: default-src 'self'; img-src 'self' data: image/png; style-src 'self' 'sha256-47DEQpj8HBSa+/TImW+5JCeuQeRkm5NMpJWZG3hSuFU='
Referrer-Policy: strict-origin-when-cross-origin
Vary: Cookie
Server: Werkzeug/0.15.1 Python/3.6.7
Date: Sat, 27 Apr 2019 21:37:07 GMT

All of my scripts are hosted locally (so 'self' should suffice), no inline scripts or style attributes are used in the site itself, but chrome still generates good amount of errors: console screenshot, screenshot with non-minifed version of jQuery

Refused to apply inline style because it violates the following Content Security Policy directive: "style-src 'self' 'sha256-47DEQpj8HBSa+/TImW+5JCeuQeRkm5NMpJWZG3hSuFU='". Either the 'unsafe-inline' keyword, a hash ('sha256-47DEQpj8HBSa+/TImW+5JCeuQeRkm5NMpJWZG3hSuFU='), or a nonce ('nonce-...') is required to enable inline execution.

As you can see, I also added the hash that chrome itself has generated to the CSP, but no matter what I change ( also tried adding that hash to 'script-src') I still get the same type of errors.

There are many similar questions about chrome and CSP but none of them has answered why would chrome forbid a script to edit styles when it should be permitted by 'self' or the hash.

0 Answers