Content Security Policy (CSP) Violation Fix
In this tutorial, you'll learn about Content Security Policy (CSP) Violation Fix. We cover key concepts, practical examples, and best practices.
Your browser console shows Refused to load the script because it violates the following Content Security Policy directive — a CSP header blocks legitimate resources, or the policy is too restrictive for your application.
Step-by-Step Fix
1. Check the CSP violation report
Browser console error:
Refused to load the script 'https://cdn.example.com/widget.js'
because it violates the following Content Security Policy directive:
"default-src 'self'". Note that 'script-src' was not explicitly set,
so 'default-src' is used as a fallback.
2. Add the domain to the CSP header
# Wrong — too restrictive, blocks all external scripts
from flask import Flask
from flask_talisman import Talisman
Talisman(app, content_security_policy={
"default-src": "'self'"
})
# Right — allow specific external domains
Talisman(app, content_security_policy={
"default-src": "'self'",
"script-src": [
"'self'",
"https://cdn.example.com",
"https://analytics.google.com",
],
"style-src": [
"'self'",
"https://fonts.googleapis.com",
],
"img-src": [
"'self'",
"data:",
"https://images.example.com",
],
})
3. Allow inline scripts with nonce
<!-- Wrong — inline script blocked by CSP -->
<script>
const apiKey = "abc123";
initApp();
</script>
<!-- Right — use nonce attribute -->
<script nonce="random123">
const apiKey = "abc123";
initApp();
</script>
# Server-side: include nonce in CSP
import secrets
nonce = secrets.token_urlsafe(16)
response.headers["Content-Security-Policy"] = \
f"default-src 'self'; script-src 'self' 'nonce-{nonce}'"
4. Use report-only mode for testing
# First deploy in report-only mode to see violations
Talisman(app, content_security_policy={
"default-src": "'self'",
"script-src": "'self'",
}, content_security_policy_report_only=True,
content_security_policy_report_uri="/csp-violations")
Common Mistakes
| Mistake | Fix |
|---|---|
Using 'unsafe-inline' for scripts |
Use nonce or hash-based CSP instead of unsafe-inline |
Using 'unsafe-eval' unnecessarily |
Remove eval from the codebase and avoid 'unsafe-eval' |
| Forgetting to allow data: URIs for images | Add data: to img-src if base64 images are used |
CSP too permissive (* wildcard) |
Specify exact domains instead of wildcards |
| Blocking WebSocket connections | Add connect-src 'self' wss://example.com for WebSocket |
Prevention
- Start with a restrictive policy and use report-only mode to discover needed exceptions.
- Use nonce or hash-based CSP for inline scripts instead of
'unsafe-inline'. - Serve all resources from your own domain when possible.
- Set up a
report-urito collect CSP violation reports. - Monitor CSP reports to detect XSS attempts and misconfigurations.
DodaTech Tools
Doda Browser respects CSP directives and reports violations in its developer console panel. DodaZIP archives CSP policy versions for deployment auditing. Durga Antivirus Pro applies strict CSP defaults to its web-based management interface.
Common Mistakes with security policy
- Forgetting
deriving (Show, Eq)on custom data types needed for debugging - Placing the wildcard pattern first in case expressions, making all subsequent patterns unreachable
- Using
headandtailinstead of pattern matching, causing runtime errors on empty lists
These mistakes appear frequently in real-world CONTENT code. DodaTech's contributors have identified these patterns through analysis of open-source projects and production systems.
Practice Exercise
Write a pure function that safely divides two integers using Maybe, then test it with edge cases like division by zero and negative numbers.
This exercise reinforces the concepts covered in this guide. Try implementing it before checking online solutions.
FAQ
Built by the developers of DodaTech
Doda Browser, DodaZIP & Durga Antivirus Pro