Content-Security-Policy: The page’s settings blocked an inline script

Collapse
X
Collapse
 
  • Page of 1
  • Time
  • Show
Clear All
new posts
Previous template Next
  • Riad
    Member
    • Aug 2018
    • 36
    #1

    Content-Security-Policy: The page’s settings blocked an inline script

    Content-Security-Policy: The page’s settings blocked an inline script (script-src-elem) from being executed because it violates the following directive: “script-src 'self' 'nonce-a40c5d449d7c0a7ee2cd9978d392ef59' 'unsafe-eval' https://maps.googleapis.com” The admin settings not display in my account menu and the notifications icon not display the mention not works
    Attached Files
    Last edited by Riad; 05-12-2025, 12:28 PM.
    Tags: None
    • lazovic
      Super Moderator
      • Jan 2022
      • 1210
      #2
      Hi Riad,

      You may need to disable the clientCspDisabled parameter in the EspoCRM instance configuration file to get rid of this error: https://docs.espocrm.com/administrat...rams/#security.

      Config parameters can be changed or added manually in the file data/config.php. Parameters can also be added to the file data/config-internal.php.

        Comment

        • Riad
          #2.1
          Riad commented
          05-12-2025, 01:31 PM
          Editing a comment
          Thank you lazovic .
        • yuri
          EspoCRM product developer
          • Mar 2014
          • 9643
          #3
          Note that disabling CSP increases security risks significantly. Not recommended.

            Comment

            • Riad
              #3.1
              Riad commented
              05-12-2025, 01:32 PM
              Editing a comment
              Thank you yuri how can solve it without security risks?
            • yuri
              EspoCRM product developer
              • Mar 2014
              • 9643
              #4
              Add to config-internal.php


              Code:
                'clientCspScriptSourceList' => [
      'https://maps.googleapis.com',
  ],
              If clientCspScriptSourceList is already there, add only the string.
                👍 1

                Comment

                • Riad
                  #4.1
                  Riad commented
                  05-12-2025, 01:37 PM
                  Editing a comment
                  Added it and make rebuild but the problem as it is.
                • Riad
                  Member
                  • Aug 2018
                  • 36
                  #5
                  Have this also "
                  /crm/client/modules/dynamic-checklist/lib/module-js-functions.js?r=1747057262

                  Status 404



                  VersionHTTP/2

                  Transferred15.72 kB (95.72 kB size)

                  Referrer Policystrict-origin-when-cross-origin

                  DNS ResolutionSystem
                  "

                    Comment

                    Previous template Next
                    Working...