2
votes

Suddenly, this morning users reported that JS does not wokr in Chrome anymore for our website, with multiple exceptions like

Refused to execute inline script because it violates the following Content Security Policy directive: "script-src 'self'". Either the 'unsafe-inline' keyword, a hash ('sha256-ZJh1uUuWvO0I....uclbveH9owCmb/18HI3OU='), or a nonce ('nonce-...') is required to enable inline execution.

and

because it violates the following Content Security Policy directive: "script-src 'self'".

Seems like Chrome gets updated.... The current version installed on my machine

Version 61.0.3163.100 (Official Build) (64-bit)

We don't set security policy explicitly so I don't get where it is coming from. Firefox and IE work. Does anyone have the same problems? Any help appreciated.

2

2 Answers

1
votes

A bit rough on my side to blame Chrome for the issue. it turns out that the network team enforced security policy rules by adding headers to the response, and as result all JS now blocked. The headers they added are:

Headers

0
votes

Given the new information, the only solution is to ensure your scripts are on the same host as the page which loads them