Setting Content-Security-Policy for

I ran up again some problems with setting a Content-Security policy for my site with some of the Babylon tools.

if you set content-security to allow scripts from, the main babylon javascript is fine. However, there seems to be a problem with inline styles.

Here is my Content-Security Policy:

CSP Default: "default-src 'self'; ",

CSP Font: "font-src 'self'; ",

CSPImage: "img-src 'self'; ",

CSPScript: "script-src 'self'; ",

CSPStyle: "style-src 'self' 'https: unsafe-inline'; ",

CSPFrame: "frame-src 'self'; ",

CSPConnect: "connect-src 'self'; ",

CSPChild: "child-src 'none'; "

With this policy you get the following errors for these JS files, inline CSS styles.


babylon.nodeEditor.js:1 Refused to apply inline style because it violates the following Content Security Policy directive: “style-src ‘self’ ‘https: unsafe-inline’ wss://”. Either the ‘unsafe-inline’ keyword, a hash (‘sha256-LEMQFMag6nAOSGRcnBfcnF923MUY+d8a9Rs4ZIbPe7M=’), or a nonce (‘nonce-…’) is required to enable inline

I have no idea how this works :smiley:

inspector and nodeEditor are webpack based and are doing css injection but I don’t know what to do beside that

Yes, it’s a reaction to the inline scripts. If you get rid of the ‘https:’ it works.