I have created new asp.net mvc 5 project in visual studio 2015 professional
And I have added meta tag in my layout for Content Security Policy as –
<meta http-equiv="content-security-policy"
content="default-src 'none'; script-src 'self';
connect-src 'self'; img-src 'self'; style-src 'self';" />
Now when I run my application I get following error in chrome browser console –
Refused to apply inline style because it violates the following Content Security Policy directive: “style-src ‘self’”. Either the ‘unsafe-inline’ keyword, a hash (‘sha256-CwE3Bg0VYQOIdNAkbB/Btdkhul49qZuwgNCMPgNY5zw=’), or a nonce (‘nonce-…’) is required to enable inline execution.
modernizr-2.6.2.js:157
There are 6 errors for modernizr-2.6.2.js:157 and one is related to script, i.e. refused to load the script localhost
I don’t think I have any inline style in my project and then why CSP refused to apply error ?
Answers:
Thank you for visiting the Q&A section on Magenaut. Please note that all the answers may not help you solve the issue immediately. So please treat them as advisements. If you found the post helpful (or not), leave a comment & I’ll get back to you as soon as possible.
Method 1
Apparently modernizr either injects a style element with some CSS properties, or else injects some style attributes; you can deal with it by changing your CSP policy this:
<meta http-equiv="content-security-policy" content="default-src 'none'; script-src 'self'; connect-src 'self'; img-src 'self'; style-src 'self' 'sha256-CwE3Bg0VYQOIdNAkbB/Btdkhul49qZuwgNCMPgNY5zw=';" />
All methods was sourced from stackoverflow.com or stackexchange.com, is licensed under cc by-sa 2.5, cc by-sa 3.0 and cc by-sa 4.0