Forum Discussion
unable to load the css and javascripts when we use Content-Security-Policy in custom headers
https://itcui2022.revalweb.com/ this is my site here am using content security policy below code i have added in my web application web .config . This is the custom header code in web.config
<customHeaders>
<remove name="X-Powered-By" />
<remove name="Vary" />
<remove name="X-XSS-Protection" />
<add name="Vary" value="Accept-Encoding" />
<remove name="server" />
<add name="Content-Security-Policy" value="default-src 'none';script-src 'self' ;object-src 'self' 'https://www.youtube.com/embed/OBI84brdBCI';style-src 'self' ;base-uri 'self';form-action 'self';img-src https: http: ;font-src https: ; frame-ancestors 'self';"/>
<add name="X-Xss-Protection" value="1; mode=block" />
<add name="Referrer-Policy" value="strict-origin" />
<add name="X-Content-Type-Options" value="nosniff" />
<add name="Strict-Transport-Security" value="max-age=31536000; includeSubDomains" />
<!--
<add name="X-Frame-Options" value="SAMEORIGIN" />
<add name="Permissions-Policy" value="fullscreen=()" />-->
</customHeaders>
So am getting below issues in console entire site design also disturbed please help me to resolve this.
localhost/:1 Failed to find a valid digest in the 'integrity' attribute for resource 'http://localhost:56244/css/bootstrap.min.css' with computed SHA-384 integrity 'YXdFsF5q5GYktpRMSNNglqzoOPh17LejMdqUx5CXo84zUtjPaKjj5E1CTAINo/gk'. The resource has been blocked.
localhost/:1 Failed to find a valid digest in the 'integrity' attribute for resource 'http://localhost:56244/javascripts/bootstrap.min.js' with computed SHA-384 integrity 'LG+vq3DwW7iX7BcYlMMlJ2l3yRf5XT8RtkvDeGZJHSNNiF7KSTtg0yQKiLqNFm4V'. The resource has been blocked.
localhost/:23 Refused to apply inline style because it violates the following Content Security Policy directive: "style-src 'self'". Either the 'unsafe-inline' keyword, a hash ('sha256-CvgPuDff3Hho4hKb1ZC6y9r6+XXqbP9sOgZajf3I+F4='), or a nonce ('nonce-...') is required to enable inline execution.
localhost/:78 Refused to execute inline script because it violates the following Content Security Policy directive: "script-src 'self'". Either the 'unsafe-inline' keyword, a hash ('sha256-UITiqbXyaWS7NpwiFrMIbdXAZy5EXLRUHkpylF4504k='), or a nonce ('nonce-...') is required to enable inline execution.
localhost/:1 Refused to load the script 'http://ajax.aspnetcdn.com/ajax/4.6/1/WebForms.js' because it violates the following Content Security Policy directive: "script-src 'self'". Note that 'script-src-elem' was not explicitly set, so 'script-src' is used as a fallback.
localhost/:96 Refused to execute inline script because it violates the following Content Security Policy directive: "script-src 'self'". Either the 'unsafe-inline' keyword, a hash ('sha256-CeYEunz5VQqxyULB+XWOP3sCX+mM+bzfzViw7EPtnwk='), or a nonce ('nonce-...') is required to enable inline execution.
localhost/:1 Refused to load the script 'http://ajax.aspnetcdn.com/ajax/4.6/1/MicrosoftAjax.debug.js' because it violates the following Content Security Policy directive: "script-src 'self'". Note that 'script-src-elem' was not explicitly set, so 'script-src' is used as a fallback.
localhost/:104 Refused to execute inline script because it violates the following Content Security Policy directive: "script-src 'self'". Either the 'unsafe-inline' keyword, a hash ('sha256-UxpZhPiRPznGyJM1BSK89gIr0wkT40MeN0ykcKyVQzc='), or a nonce ('nonce-...') is required to enable inline execution.
localhost/:109 Refused to execute inline script because it violates the following Content Security Policy directive: "script-src 'self'". Either the 'unsafe-inline' keyword, a hash ('sha256-2vr5KMButMK7a+bOf/ned/cPnF2yNooMulXA8E65wGw='), or a nonce ('nonce-...') is required to enable inline execution.
localhost/:1 Refused to load the script 'http://ajax.aspnetcdn.com/ajax/4.6/1/MicrosoftAjaxWebForms.debug.js' because it violates the following Content Security Policy directive: "script-src 'self'". Note that 'script-src-elem' was not explicitly set, so 'script-src' is used as a fallback.
localhost/:116 Refused to execute inline script because it violates the following Content Security Policy directive: "script-src 'self'". Either the 'unsafe-inline' keyword, a hash ('sha256-EpuJI/NmOAh04fBw4hE5sQRnVYZ4A9EfEP8nroT/9cM='), or a nonce ('nonce-...') is required to enable inline execution.
localhost/:126 Refused to execute inline script because it violates the following Content Security Policy directive: "script-src 'self'". Either the 'unsafe-inline' keyword, a hash ('sha256-1Dj1GXl5SCvtMhdy8uv1Akr4WD7Y0kPmIK5ElIF9/mc='), or a nonce ('nonce-...') is required to enable inline execution.
24Refused to apply inline style because it violates the following Content Security Policy directive: "style-src 'self'". Either the 'unsafe-inline' keyword, a hash ('sha256-0EZqoz+oBhx7gF4nvY2bSqoGyy4zLjNF+SDQXGp/ZrY='), or a nonce ('nonce-...') is required to enable inline execution. Note that hashes do not apply to event handlers, style attributes and javascript: navigations unless the 'unsafe-hashes' keyword is present.
localhost/:174 Refused to apply inline style because it violates the following Content Security Policy directive: "style-src 'self'". Either the 'unsafe-inline' keyword, a hash ('sha256-biLFinpqYMtWHmXfkA1BPeCY0/fNt46SAZ+BBk5YUog='), or a nonce ('nonce-...') is required to enable inline execution. Note that hashes do not apply to event handlers, style attributes and javascript: navigations unless the 'unsafe-hashes' keyword is present.
42Refused to apply inline style because it violates the following Content Security Policy directive: "style-src 'self'". Either the 'unsafe-inline' keyword, a hash ('sha256-ZdHxw9eWtnxUb3mk6tBS+gIiVUPE3pGM470keHPDFlE='), or a nonce ('nonce-...') is required to enable inline execution. Note that hashes do not apply to event handlers, style attributes and javascript: navigations unless the 'unsafe-hashes' keyword is present.
14Refused to apply inline style because it violates the following Content Security Policy directive: "style-src 'self'". Either the 'unsafe-inline' keyword, a hash ('sha256-hAo6fw2WF0zjZtf7VZZQ6YI8Z3kPHD8B8b8Gtcx2oOI='), or a nonce ('nonce-...') is required to enable inline execution. Note that hashes do not apply to event handlers, style attributes and javascript: navigations unless the 'unsafe-hashes' keyword is present.
18The source list for the Content Security Policy directive 'object-src' contains an invalid source: ''<URL>''. It will be ignored.
18Refused to frame '<URL>' because it violates the following Content Security Policy directive: "default-src 'none'". Note that 'frame-src' was not explicitly set, so 'default-src' is used as a fallback.
localhost/:513 Refused to apply inline style because it violates the following Content Security Policy directive: "style-src 'self'". Either the 'unsafe-inline' keyword, a hash ('sha256-N6tSydZ64AHCaOWfwKbUhxXx2fRFDxHOaL3e3CO7GPI='), or a nonce ('nonce-...') is required to enable inline execution. Note that hashes do not apply to event handlers, style attributes and javascript: navigations unless the 'unsafe-hashes' keyword is present.
localhost/:941 Refused to apply inline style because it violates the following Content Security Policy directive: "style-src 'self'". Either the 'unsafe-inline' keyword, a hash ('sha256-aqNNdDLnnrDOnTNdkJpYlAxKVJtLt9CtFLklmInuUAE='), or a nonce ('nonce-...') is required to enable inline execution. Note that hashes do not apply to event handlers, style attributes and javascript: navigations unless the 'unsafe-hashes' keyword is present.
localhost/:977 Refused to apply inline style because it violates the following Content Security Policy directive: "style-src 'self'". Either the 'unsafe-inline' keyword, a hash ('sha256-7BnD9RIDXeUB9VD92tBlPwhEL1M/jh47BswRP35nxws='), or a nonce ('nonce-...') is required to enable inline execution. Note that hashes do not apply to event handlers, style attributes and javascript: navigations unless the 'unsafe-hashes' keyword is present.
localhost/:998 Refused to apply inline style because it violates the following Content Security Policy directive: "style-src 'self'". Either the 'unsafe-inline' keyword, a hash ('sha256-+4oP7rS92I5ztYUBTys+bZMuh7XsZzbA8I7p/nx5hc4='), or a nonce ('nonce-...') is required to enable inline execution. Note that hashes do not apply to event handlers, style attributes and javascript: navigations unless the 'unsafe-hashes' keyword is present.
localhost/:1020 Refused to execute inline script because it violates the following Content Security Policy directive: "script-src 'self'". Either the 'unsafe-inline' keyword, a hash ('sha256-vqdnKTbt/TvY3ePneXpp1hIoJNbqOs8DRqOx+stBf54='), or a nonce ('nonce-...') is required to enable inline execution.
localhost/:1673 Refused to apply inline style because it violates the following Content Security Policy directive: "style-src 'self'". Either the 'unsafe-inline' keyword, a hash ('sha256-5TmCSWsRHHKtNC4AgS23KS5Z9SBqma0xikI6H6iJ1/Y='), or a nonce ('nonce-...') is required to enable inline execution. Note that hashes do not apply to event handlers, style attributes and javascript: navigations unless the 'unsafe-hashes' keyword is present.
localhost/:1705 Refused to execute inline script because it violates the following Content Security Policy directive: "script-src 'self'". Either the 'unsafe-inline' keyword, a hash ('sha256-a41VY2GgLCaYKz1KViZdYGquxnzPLRrCGAZskHvjZCQ='), or a nonce ('nonce-...') is required to enable inline execution.
localhost/:1710 Refused to execute inline script because it violates the following Content Security Policy directive: "script-src 'self'". Either the 'unsafe-inline' keyword, a hash ('sha256-p5EEK9dIuQvZLAPvcG9WSh/ajegn6KGDbAs3bZJTmdE='), or a nonce ('nonce-...') is required to enable inline execution.
localhost/:1 Refused to load the script 'https://www.googletagmanager.com/gtag/js?id=G-PSJZ21FT8N' because it violates the following Content Security Policy directive: "script-src 'self'". Note that 'script-src-elem' was not explicitly set, so 'script-src' is used as a fallback.
localhost/:1793 Refused to execute inline script because it violates the following Content Security Policy directive: "script-src 'self'". Either the 'unsafe-inline' keyword, a hash ('sha256-aFDORWdyFevVNsFN1yqS+nyf7tQzWbrtxHF06snqgPQ='), or a nonce ('nonce-...') is required to enable inline execution.
localhost/:1 Refused to load plugin data from 'https://www.youtube.com/embed/OBI84brdBCI' because it violates the following Content Security Policy directive: "object-src 'self' 'https://www.youtube.com/embed/OBI84brdBCI'".
1 Reply
Hi have you found the solution yet or are you still looking?
