What is the name of the domain?
netlify.app
What is the error number?
v1?ray=917f7cee2c82e27e&lang=auto:1
What is the error message?
Refused to run the JavaScript URL because it violates the following Content Security Policy directive: “script-src ‘nonce-SLmr9vgXhSA2roqh’ ‘unsafe-eval’”. Either the ‘unsafe-inline’ keyword, a hash (‘sha256-…’), or a nonce (‘nonce-…’) is required to enable inline execution. Note that hashes do not apply to event handlers, style attributes and javascript: navigations unless the ‘unsafe-hashes’ keyword is present.
What is the issue you’re encountering
I’m experiencing an error in my web browser console that continues to appear even after I temporarily disabled the Content Security Policy (CSP) in my configuration. I am looking to either resolve this error or understand its implications to determine if it can be safely ignored. I am concerned that this issue may prevent my site visitors from interacting properly with the site, depending on their browser. If anyone has faced this issue before and has either resolved it or found a way to manage it, I would greatly appreciate your insights. Despite the error, it appears that I still receive my Turnstile confirmation token after the error occurs.
What steps have you taken to resolve the issue?
J’ai commenter pour desactiver le Content Security Policy de mon fichier build netlify :
Sécurité et performance
[[headers]]
for = “/*”
[headers.values]
Strict-Transport-Security = “max-age=31536000; includeSubDomains; preload”
X-Frame-Options = “DENY”
X-XSS-Protection = “1; mode=block”
X-Content-Type-Options = “nosniff”
Referrer-Policy = “strict-origin-when-cross-origin”
Feature-Policy = “geolocation ‘self’; microphone ‘none’”
Content-Security-Policy = “default-src *; script-src * ‘unsafe-inline’ ‘unsafe-eval’; style-src * ‘unsafe-inline’; frame-src *; connect-src *;”
What are the steps to reproduce the issue?
I’ve simply integrated a spam prevention system using Turnstile, but ever since I started the integration, my browser console keeps warning me of an issue, even though the Turnstile token is present!
Config Netlify :
Fichier de configuration Netlify pour un site Hugo
[build]
command = “hugo --gc --minify”
publish = “public”
functions = “netlify/functions”
[build.environment]
HUGO_VERSION = “0.143.1”
HUGO_ENV = “production”
TZ = “Europe/Paris”
[context.production]
command = “hugo --gc --minify --baseURL=$URL”
[context.production.environment]
HUGO_VERSION = “0.143.1”
HUGO_ENV = “production”
[context.deploy-preview]
command = “hugo --buildDrafts --buildFuture --baseURL=$DEPLOY_PRIME_URL --minify”
[context.deploy-preview.environment]
HUGO_VERSION = “0.143.1”
HUGO_ENV = “preview”
##################
En-têtes HTTP
##################
Sécurité et performance
[[headers]]
for = “/*”
[headers.values]
Strict-Transport-Security = “max-age=31536000; includeSubDomains; preload”
X-Frame-Options = “DENY”
X-XSS-Protection = “1; mode=block”
X-Content-Type-Options = “nosniff”
Referrer-Policy = “strict-origin-when-cross-origin”
Feature-Policy = “geolocation ‘self’; microphone ‘none’”
Content-Security-Policy = “default-src *; script-src * ‘unsafe-inline’ ‘unsafe-eval’; style-src * ‘unsafe-inline’; frame-src *; connect-src *;”
#########################
Cache optimisé
#########################
Cache long terme pour CSS
[[headers]]
for = “/css/*”
[headers.values]
Cache-Control = “public, max-age=31536000, immutable”
Cache long terme pour JS
[[headers]]
for = “/js/*”
[headers.values]
Cache-Control = “public, max-age=31536000, immutable”
Cache long terme pour images
[[headers]]
for = “/images/*”
[headers.values]
Cache-Control = “public, max-age=31536000, immutable”
#########################
API Netlify sécurisée
#########################
[[headers]]
for = “/.netlify/functions/*”
[headers.values]
Access-Control-Allow-Origin = “https://manifestedulibertinage.netlify.app”
Access-Control-Allow-Methods = “GET, POST, OPTIONS”
Access-Control-Allow-Headers = “Content-Type, Authorization”
#########################
Redirection HTTP vers HTTPS
#########################
[[redirects]]
from = “http://*”
to = “https://:splat”
status = 301
force = true
