Refused to run the JavaScript URL because it violates the following Content Security Policy directive: “script-src ‘nonce-’ ‘unsafe-eval’”. Either the ‘unsafe-inline’ keyword, a hash (‘sha256-…’), or a nonce (‘nonce-…’) is required to enable inline execution. Note that hashes do not apply to event handlers, style attributes and javascript: navigations unless the ‘unsafe-hashes’ keyword is present.
What is the issue you’re encountering
Is it even possible to implement Turnstile without all of these errors?
What steps have you taken to resolve the issue?
I have tried, while implementing this on my side, every possible permutation of Content Security Policy, however nothing works. Started trying to find a working example only to realise that everyone has the same issue including cloudflare’s own site?! The documentation seems to imply this is an easy fix: Content Security Policy · Cloudflare Turnstile docs
I’m also facing the same issue and every CSP related setting doesn’t seem to do anything. In this doc there is note about using nonce if you run into this issue, however even nonce doesn’t fix the issue.
I am also facing this issue. It seems to work fine on iOS and Windows/Linux desktops (Brave, Safari, Edge, Chrome).
However it seems that the Turnstile token is being generated on my page after 20-30s for Androids, which then would allow the Android user to finally submit the form.
Also seeing this error. I’m experiencing this issue on my project as well, even after trying to update the CSP headers and adding a nonce. Has anyone found a workaround or an official fix from Cloudflare? Any insights would be helpful.
I also have this error. I am using nonces within my project with ‘strict-dynamic’ policy. I believe cloudflare script is adding javascript URL (Example - javascript:alert(‘’)) and this is forbidden by the CSP. My captcha seems to work
Cloudflare turnstile captcha stopped working on my website too. I can’t pass it, its either spinning infinitely by itself or after the click not resolving and stuck with the message - “Stuck here” submit feedback, here is rayid of the example: Ray ID: 919164f539d772ab
Yes! I’ve tested all edge cases, and everything is now working perfectly.
At the moment, there are zero console issues, except for Google’s document.write notice, which isn’t affecting functionality.
Could you share your code or describe the specific use case you’re facing?
I’m finalizing a complete WordPress solution for Elementor, popups, and multiple Turnstile instances on the same page. This will be published on GitHub soon, so any additional insights would be great to refine it further.
