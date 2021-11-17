Violates the Content Security Policy

General Web Dev
#1

This Date script won’t run when the page loads because it violates the CSP at top (it worked before adding the CSP). Yet it surely isn’t inline JS, is it? Why would it not run? (This page is “company1.”)

<meta http-equiv="Content-Security-Policy" content="default-src www.company1.com https://www.company2.com https://company3.com; script-src 'self' www.company1.com; child-src 'none'; object-src 'none'; font-src 'none'; plugin-types 'none'; frame-src 'none'; media-src 'none'; form-action www.company1.com;">

    <div class="rowgr pad2">
        <div class="rowflleft cen">
            <p><span id="copyright">&copy;2012-<span id="year"></span> company name, Inc.</span></p>
        </div>
    </div>

<script>
    var d = new Date();
    document.getElementById("year").innerHTML = d.getFullYear();
</script>
#4

I think this needs to be moved to the JavaScript department.

#5

Moved, as requested.

#8

How do I make the following images not be rejected by the CSP for “company1”? After all, I added img-src… to it as an exception:

<meta http-equiv="Content-Security-Policy" content="default-src www.company1.com https://www.company2.com https://company3.com; img-src www.company1.com https://www.company2.com https://company3.com; script-src 'self' www.company1.com; child-src 'none'; object-src 'none'; font-src 'none'; frame-src 'none'; media-src 'none'; form-action www.company1.com;">

It needs to apply here:
<link rel="icon" type="image/png" sizes="48x48" href="http://www.companyname.com/ae/icon_48.png">

#9

Moved back to general web dev since you’re no longer asking about JS files :wink:

1 Like
#10

:roll_eyes: Got it! I deleted the earlier messages to cut down on scrolling.