Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Refused to load script from <URL> despite strict-dynamic #50

Open
rajdotio opened this issue Jun 20, 2022 · 5 comments
Open

Refused to load script from <URL> despite strict-dynamic #50

rajdotio opened this issue Jun 20, 2022 · 5 comments

Comments

@rajdotio
Copy link

Hi Team,

I'm using the webpack plugin on Angular app. However, Chrome browser refuses to load the scripts added by the loader. Shouldn't browser trust these scripts because strict-dynamic is present and was loaded by the loader script whose sha256 is allowed in script-src ?

Refused to load the script 'https://myapp.mywebsite.com/app/4493-ce4021c07yds7s87.js' 
because it violates the following Content Security Policy directive: 
"script-src 'strict-dynamic' 'sha256-mdiRA9U1beoJQUxqe51WTscrp2eub7BXW/j51AWQiy8=' https: 'unsafe-inline'". 
Note that 'strict-dynamic' is present, so host-based allowlisting is disabled. 
Note that 'script-src-elem' was not explicitly set, so 'script-src' is used as a fallback.
@rajdotio
Copy link
Author

It seems script-src-elem doesn't fallback to script-src in chrome. I even tried using nonce without loader script and facing same issue. I feel this might be a browser Issue.

@rajdotio
Copy link
Author

Checked with Firefox 101.0.1 (64-bit) and I don't face this issue. So it seems indeed the issue is with Chrome Version 102.0.5005.115 (Official Build) (64-bit)

@maudnals
Copy link
Collaborator

maudnals commented Jul 20, 2022
edited
Loading

Hey there, sorry for the delayed reply!
Are you still facing this issue in newer Chrome versions?

@rajdotio
Copy link
Author

rajdotio commented Jul 21, 2022 via email

@Trinovantes
Copy link

I also encountered this error only on Chrome. I'm not sure if it's related to your issue because my JS still worked; I just saw a bunch of errors in my console. Turns out my errors were due to preload tags e.g. <link rel="preload" href="/public/main.31cc4d09ab2b36e5289a.js" as="script">

Unfortunately prefetch-src is currently not implemented in any browser so I had to remove all my preload tags.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@Trinovantes @maudnals @rajdotio