Home/ Questions/Q 8859847
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-06-14T15:09:04+00:00

I am trying to modify my web software to use a Content Security Policy.

  • 0

I am trying to modify my web software to use a Content Security Policy. When I compile without it, everything runs fine. When I include CSP headers, Chrome flags an error in two places (using the Chrome developer tools):

  • A “Refused to execute inline script because it violates the Content
    Security Policy…” error in the first line of every ASPX or HTML file –
    even though there is no inline JavaScript!
  • A “Code generation from strings disallowed for this context” error – this is
    noted in the jquery-1.8.3.min.js file but appears to originate from
    some JQuery that I’ve written where I am iterating over data coming
    down from a web service to generate items on the page.

So, two questions: why am I always being told the every file is in violation even if it is just a pure static HTML file?

Second, does content security really mean that I can’t use strings when generating html using JQuery – even when it is in a dedicated .js file? I’ve looked at information all over the web and this particular issue really isn’t addressed. So…what are the rules here?

All I really want is to prevent A) inline JavaScript and B) the loading of external JS files.

Any help would be very much appreciated!

UPDATE: The string errors went away when I upgrade JQuery/JQueryUI to 1.8.2 / 1.9.1. The version that I was using before were only about a month old so this appears to be a recent improvement in JQuery. I can’t be sure that this was JQuery though as I’ve been making other changes as well but it makes sense to be on the more recent JQuery if you can.

Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    Content Security Policy blocks eval and eval-like structures (new Function, setTimeout([STRING], ...), etc) by default; they can be just as dangerous as inline script. If you’d like to allow eval, you’ll need to whitelist 'unsafe-eval' as an accepted source of script. That might look like:

    Content-Security-Policy: script-src 'self' 'unsafe-eval' https://script.com

    The relevant portion of the spec is http://www.w3.org/TR/CSP/#script-src. http://www.html5rocks.com/en/tutorials/security/content-security-policy/#eval-too might also be helpful.

    Regarding the error messages, I’d suggest using Canary. We’ve improved the error messages significantly in the last month or two; I hope you’ll have a better debugging experience in Stable in the near future. If you’re still getting errors in Canary that don’t give you enough information to debug the problem, please file a bug (http://new.crbug.com/) and post the ID here. I’ll make sure someone looks at it.

    I’m happy to hear you’re experimenting with CSP!

    • 0