content-security-policy

I'm training for Cordova application development and I turn around a problem with Content Security Policy. My application is running with the Android emulator, but when I have to execute a javascript I get a message in NetBeans (output window). Refused to execute inline event handler because it violates the following Content Security Policy directive: "script-src 'self' https://ssl.gstatic.com". (22:35:56:126 | error, security) at www/index.html:58 My code is below. This is my index.html. I try to understand how CSP works and I think I understand the concept, but in this case, I don't

W3C says there is a new attribute in HTML5.1 called nonce for style and script that can be used by the Content Security Policy of a website. I googled about it but finally didn't get it what actually this attribute do and what changes when using it? The nonce attribute enables you to “whitelist” certain inline script and style elements, while avoiding use of the CSP unsafe-inline directive (which would allow all inline script / style ), so that you still retain the key CSP feature of disallowing inline script / style in general. So the nonce attribute is way of telling browsers that the inline

This is my HTML: <!doctype html> <html> <head> <title>PassVault</title> <link rel="stylesheet" type="text/css" href="stil.css"> <meta charset="utf-8"> <script type='text/javascript' src='http://ajax.googleapis.com/ajax/libs/jquery/1.6.4/jquery.min.js'></script> <script type="text/javascript"> $(document).ready(function () { $("div").css("border", "3px solid red"); }); </script> </head> <body> <div id="rainbow"> </div> <div id="loginBox"> <div id="welcome"> Dobrodošli, uporabnik! </div><br> </div> </body> </html> After the document loads up, it's supposed to put a red border around all my divs

I was trying to include JQuery on an existing website using console this way: var script = document.createElement('script'); script.src = 'http://code.jquery.com/jquery-1.11.1.min.js'; script.type = 'text/javascript'; document.getElementsByTagName('head')[0].appendChild(script); Then I got this error: Content Security Policy: The page's settings blocked the loading of a resource at http://code.jquery.com/jquery-1.11.1.min.js .. During development I might want to include external Javascript. I might not want to copy paste the entire JQuery code since it does not look neat. How to override the

In this simple example, I'm trying to set a CSP header with the meta http-equiv header. I included a base64 image and I'm trying to make Chrome load the image. I thought the data keyword should do that, but somehow it's not working. I just get the following error in Developer Tools: Refused to load the image 'data:image/png;base64,R0lGODlhDwAPAOZEAMkJCfAwMMYGBtZMTP75+euIiPFBP+hVVf3v7…nw7yk4Mjr6GLUY+joiBI2QAACABwJDCHgoKOHEoAYVBAgY8GGAxAoNGAmiwMHBCgccKDAKBAA7' because it violates the following Content Security Policy directive: "img-src 'self' data". The example code (JSFiddle is not working for

Chrome 18 Dev/Canary has just been released, and content_security_policy will be needed in the manifest for certain extensions. I'm trying to get a CSP working for inline scripting, but I don't know if I'm doing something wrong or if this is a Chrome 18 bug. manifest.json: { "name": "CSP Test", "version": "1.0", "manifest_version": 2, "options_page": "test.html", "content_security_policy": "default-src 'unsafe-inline'" } test.html: <html><head> <script type="text/javascript"> alert("hello"); </script> </head></html> In Chrome 18, this unpacked extension fails to load, displaying an error: If I

Following is my code of HTML Scripts: <script src="http://ajax.googleapis.com/ajax/libs/jquery/1.11.1/jquery.min.js"></script> <script src="background.js"></script> HTML: <button name="btnlogin" id="btnlogin">Login</button><br/><br/> and following is js $(document).ready(function(){ document.getElementById("#btnlogin").click(function(){ alert("s"); }); }); manifest file: { "manifest_version": 2, "name": "One-click Kittens", "description": "This extension demonstrates a 'browser action' with kittens.", "version": "1.0", "browser_action": { "default_icon": "icon.png", "default_popup": "popup