I'm attempting to help one of our QA engineers be able to run a script on the console in our dev environment.
The script-src
portion of the CSP is as follows:
script-src 'unsafe-inline' 'self' *.fontawesome.com *.cloudflare.com *.unpkg.com;
However, when executing their script, I receive this error:
[Report Only] Refused to load the script 'https://unpkg.com/gremlins.js' because it violates
the following Content Security Policy directive: "script-src 'unsafe-inline' 'self' *.fontawesome.com
*.cloudflare.com *.unpkg.com". Note that 'script-src-elem' was not explicitly set, so 'script-src'
is used as a fallback.
Shouldn't *.unpkg.com
in the Content Security Policy cover this scenario? What am I missing here?
No. *.unpkg.com allows all subdomains of unpkg.com, but not unpkg.com itself. You will need to add unpkg.com to script-src.