What is the name of the domain?
What is the error number?
No specific error number, but the browser blocks scripts due to CSP.
What is the error message?
Refused to run the JavaScript URL because it violates the following Content Security Policy directive: “script-src ‘nonce-LJnvzxI0w7Epsmr6’ ‘unsafe-eval’”. Either the ‘unsafe-inline’ keyword, a hash (‘sha256-…’), or a nonce (‘nonce-…’) is required to enable inline execution.
What is the issue you’re encountering
I am implementing Cloudflare Turnstile on my ASP.NET WebForms website, and I am encountering a CSP error that prevents scripts from running. The browser refuses to execute the script due to a missing or incorrect nonce. However, I have not explicitly set a CSP policy, and I cannot find where the nonce is being generated.
What steps have you taken to resolve the issue?
Ensured that my server does not explicitly set any CSP headers.
Attempted to add a manually generated nonce to the Turnstile script in the server response.
Checked my DevTools to see if CSP headers are injected dynamically.
Cleared Cloudflare cache and disabled Cloudflare proxy to see if the issue persists.
Verified that /cdn-cgi/ is accessible and not blocked by my security policies.
Tried to set script-src in my CSP policy to allow Turnstile, but the issue persists.
Attempted to load the script dynamically via JavaScript instead of embedding it directly in the HTML."
What are the steps to reproduce the issue?
- Visit https://dev.calmark.co.il/.
- Click on “בדיקה” button
- Look for CSP-related errors preventing Turnstile from executing.
- Observe that nonce is being enforced despite not being explicitly set in my CSP headers.
