How to fix problem with CSP

Hello! I’m have problem with CSP, how to fix this?

Refused to execute inline script because it violates the following Content Security Policy directive: "script-src". Either the 'unsafe-inline' keyword, a hash ('sha256-ScCk7JwXKy22dTO0VFM7aV1chV+yd/MUda4X6VnGans='), or a nonce ('nonce-...') is required to enable inline execution.

For the test, I went into a safe mode, in safe mode there is the same problem.

1 Like

It’s not my forte, but I’ve had a search and you may need to rewrite the inline script you’re trying to use:


I don’t want to disable CSP protection and I don’t have external scripts, I tried to disable all the plugins and the components of the topic, it didn’t help.

I try add all this link to content security policy script src in the admin setting, problem was safe :frowning:`

1 Like

You need to share your site URL for we to be able to help you.


I can send it to you’re PM?


It seems I found the reason, it seems that the problem occurs because I use the meta tag CSP in my theme:

<meta http-equiv="Content-Security-Policy" content="img-src">

I need to use the img-src directive to limit the display of images from prohibited hosts.

Oh that CSP directive will indeed break Discourse completely.


How I can change the default CSP directives in header, to added img-src without use meta tag? I’m try this in Rails, but nothing change:

Rails.application.config.action_dispatch.default_headers.merge!({'Content-Security-Policy' => "upgrade-insecure-requests; base-uri 'self'; object-src 'none'; script-src; worker-src 'self'; frame-ancestors 'self'; manifest-src 'self'; img-src data:"})

I’m delete this meta tag, bebuild and problem was safe :frowning: