I am following Google's strict CSP policy for my CSP header, and I am properly adding the nonce, however I keep getting this error in the browser for my scripts:
Refused to load the script 'http://localhost:8080/client/dist/inline.6e0c61259742e86be1dd.bundle.js' because it violates the following Content Security Policy directive: "script-src nonce-XVlBzgbaiCMRAjWwhTHctcuAxhxKQFDaFpLSjFbcXoEFfRsWxP 'unsafe-inline' 'unsafe-eval' 'strict-dynamic' https: http:". 'strict-dynamic' is present, so host-based whitelisting is disabled.
As you can see, the nonce matches the nonce in the script:
<script type="text/javascript" src="/client/dist/inline.6e0c61259742e86be1dd.bundle.js" nonce="XVlBzgbaiCMRAjWwhTHctcuAxhxKQFDaFpLSjFbcXoEFfRsWxP"></script>
This is the CSP header I'm using for script-src
. The "%s" represents the random generated nonce which will be interpolated before the header is set on the response:
script-src nonce-%s 'unsafe-inline' 'unsafe-eval' 'strict-dynamic' https: http:;
What am I doing wrong here?