Content Security Policy errors with style-src self

[bunsenmcdubbs]

I'm not sure if this is an error or issue with my local configuration but in both Chrome (51) and Firefox (40, 45) I get errors relating to the CSP.

Chrome:

ng-file-upload.js:601 Refused to apply inline style because it violates the following Content Security Policy directive: "style-src 'self'". Either the 'unsafe-inline' keyword, a hash ('sha256-QNZepBp2sFHapu/mZlZx9qzx2uVkSgN5NkyJhrAa8XM='), or a nonce ('nonce-...') is required to enable inline execution.

jquery.js:5114 Refused to apply inline style because it violates the following Content Security Policy directive: "style-src 'self'". Either the 'unsafe-inline' keyword, a hash ('sha256-1nVQdHiAzq+yQt4PZ8OE7a29XlxBFIzESqqj+rz4Jdc='), or a nonce ('nonce-...') is required to enable inline execution.

Firefox:

Content Security Policy: The page's settings blocked the loading of a resource at self ("style-src http://localhost:8080").

It doesn't seem to break any functionality on the site and its interesting to see that it's frequency is not constant (not always the same number of errors per page load etc). I don't think it's a very high priority but it does come up a lot in the Javascript console.

[syjer]

@bunsenmcdubbs yes we are aware :). I guess that we will relax the CSP policy for css. Should not be too dangerous.

[syjer]

fixed :)

We have enabled unsafe-inline for the style.