Content Security Policy: The page’s settings blocked the loading of a resource at inline (“default-src”)
The CSP can be defined either in your index.html (front-end) or in the web server (back-end).
In case of front end, you should find something like:
<html> <head> <meta charset="utf-8"/> <meta http-equiv="X-UA-Compatible" content="IE=11"/> <meta http-equiv="Cache-Control" content="no-cache"/> <meta http-equiv="Content-Security-Policy" content="default-src 'self'; style-src 'self';"/> <title> </title> </head>
According to your error message, you need to replace
default-src 'none'
by
default-src 'self'
As for the back-end, apparently there is no CSP reference in your NodeJS code.
I highly suggest to secure your headers with helmet library (https://helmetjs.github.io/), but you need to be careful because by default helmet will block your page scripts e.g. AJAX requests, so when using defaults you will get error such as: Content Security Policy: The page's settings blocked the loading of a resource at inline ("default/src") or similar, to fix this I needed to write helmet options manually.
In my project I was using the following configuration:
app.use( helmet.contentSecurityPolicy({ useDefaults: false, "block-all-mixed-content": true, "upgrade-insecure-requests": true, directives: { "default-src": [ "'self'" ], "base-uri": "'self'", "font-src": [ "'self'", "https:", "data:" ], "frame-ancestors": [ "'self'" ], "img-src": [ "'self'", "data:" ], "object-src": [ "'none'" ], "script-src": [ "'self'", "https://cdnjs.cloudflare.com" ], "script-src-attr": "'none'", "style-src": [ "'self'", "https://cdnjs.cloudflare.com" ], }, }), helmet.dnsPrefetchControl({ allow: true }), helmet.frameguard({ action: "deny" }), helmet.hidePoweredBy(), helmet.hsts({ maxAge: 123456, includeSubDomains: false }), helmet.ieNoOpen(), helmet.noSniff(), helmet.referrerPolicy({ policy: [ "origin", "unsafe-url" ] }), helmet.xssFilter()
I disabled default to write everything manually, since I might have external scripts, requests etc. so I needed to define them additionally.
This configuration will solve blocked resource errors like:
- Content Security Policy: The page's settings blocked the loading of a resource at inline ("default/src")
- Content Security Policy: The page's settings blocked the loading of a resource at inline ("img/src")
- Content Security Policy: The page's settings blocked the loading of a resource at inline ("script/src")