I created a web page through Html hardcoding, but none of the content inside was loaded. The server I used sent index.html based on Nodejs and strengthened security by using the helmet package. is as follows
Oh right, the environment I'm hosting has cloudflare proxy state rocket loader automatic optimization turned on. I haven't encountered this problem before, so I don't know how to solve it. Stack Overflow geniuses. Please tell me how to solve this..
Error 1 link:1 Refused to load the script 'https://code.jquery.com/jquery-2.2.1.min.js' because it violates the following Content Security Policy directive: "script-src 'self'". Note that 'script-src-elem' was not explicitly set, so 'script-src' is used as a fallback.
Error 2 ( Maybe this is error code ) Refused to execute inline script because it violates the following Content Security Policy directive: "script-src 'self'". Either the 'unsafe-inline' keyword, a hash ('sha256-u6I07VvyW5BhxUTbnEAHBrRUw/KCbNvo='), or a nonce ('nonce-...') is required to enable inline execution.
First of all, I added Google, MS, and Oracle's jquery CDN to solve error number 1. And to solve error number 2, I put JS in the STATIC folder and loaded it from outside, but it didn't work (loading seems to work - Console.log value exists in )
CodePudding user response:
It appears that your Content Security Policy (CSP) is blocking the loading of external scripts (such as the jQuery library) and inline scripts on your web page. The CSP is set to only allow scripts from the same origin ('self') to be loaded and executed, which is causing the errors you are seeing.
To solve error 1, you can try hosting a copy of the jQuery library on your own server and loading it from there, instead of using the external CDN. This will ensure that the script is coming from the same origin and will not be blocked by the CSP.
To solve error 2, you can add the 'unsafe-inline' keyword to the script-src directive in your CSP. This will allow inline scripts to be executed on your page. However, this is considered unsafe and can open up your site to cross-site scripting (XSS) attacks. A safer alternative would be to move your inline scripts to a separate script file and load it from there, or to use a nonce-based approach.
You may also try to check the CSP settings on Cloudflare or check with the packages documentation if you are using any packages on the server side.