Bug(?) - Content Security Policy Directives

Hi All,

I’m on a mac, using chrome. I’m trying to add a blog (hugomelo.com) to the alpha network. I’ve got it running successfully at http://blog.hugomelo.safenet/, but I noticed some css things are off. Looking at the console, I see this message repeated (with different hash values):

Refused to apply inline style because it violates the following Content Security Policy directive: "default-src 'self' *.safenet". Either the 'unsafe-inline' keyword, a hash ('sha256-CrhESueoADUi4Z9HKAP/GOA32i8HuKNpSwufo8nqD84='), or a nonce ('nonce-...') is required to enable inline execution. Note also that 'style-src' was not explicitly set, so 'default-src' is used as a fallback.

After some googling, I added the following csp:

<meta http-equiv="Content-Security-Policy" content="default-src 'none'; script-src 'self'; connect-src 'self'; img-src 'self'; style-src 'self' 'unsafe-inline';">

but I’m getting the same error messages, probably doing something wrong.
Why does visiting the same html content hosted on github pages show no errors?
Is there a good default content security policy for static sites on the safe network?
Should I turn of the CSP feature on my browser testing safenet sites?

Thanks for the alpha release :slight_smile:

1 Like

Hi Hugomelo, the headers are set by the proxy. You do not need to set any. You need to comply with the policy. Basically all CSS and Script’s need to be in separate files and linked to.
Hope that helps.