Refused to execute a script (CSP issues)

[mjabdulm]

System Information:

macOS version: 10.14.6
Userscripts version:3.0.2
Safari version: 14.0.3 (14610.4.3.1.7)

Hi,

I wanted to execute a JS script and I get the following error while trying to execute the script. Please guide on how to debug this.

[Error] Refused to execute a script because its hash, its nonce, or 'unsafe-inline' does not appear in the script-src directive of the Content Security Policy. (tto-dyni-oto, line 0)

Thanks,
Abdul

[quoid]

@mjabdulm

TL;DR: try putting this into your scripts metadata: @inject-into content

That error most often occurs when trying to inject the script into the page context on a website with a strict content security policy.

Injecting into the content script context can usually circumvent this issue. You can do that by using the @inject-into key with the value content or auto. auto attempts to inject into the page context and if an error occurs it should automatically fallback to content. You can read more about available keys here.

Note, this error is due to the webpage's content security policy, which the user has no control over. While injecting into the content context will usually allow script execution, it is not always a perfect solution since there are some things you can not accomplish in the content script context. Unfortunately, it is the only alternative for strict security policies, currently.

[mjabdulm]

Hi Justin, Thanks a lot for this option. I'm able to proceed now. Thanks. Cheers Abdul On 12-Mar-2021, at 1:52 PM, Justin Wasack ***@***.***> wrote: @mjabdulm <https://github.com/mjabdulm> TL;DR: try putting this into your scripts metadata: @inject-into content That error most often occurs when trying to inject the script into the page context on a website with a script content security policy. Injecting into the content script context can usually circumvent this issue. You can do that by using the @inject-into key with the value content or auto. auto attempts to inject into the page context and if an error occurs it should automatically fallback to content. You can read more about available keys here <https://github.com/quoid/userscripts#userscript-metadata>. Note, this error is due to the webpage's content security policy, which the user has no control over. While injecting into the content context will usually allow script execution, it is not always a perfect solution since there are some things you can not accomplish in the content script context. Unfortunately, it is the only alternative for strict security policies, currently. — You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub <#106 (comment)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/AHDZNWI2PVLDZT7PHLDGUBDTDG6MDANCNFSM4ZBX2KLA>.

[TraderStf]

@quoid
May I add this explanation in the FAQ section?
Or add it to another new section: Common Errors/Problems/?? what title?

Common Errors

[Error] Refused to execute a script because its hash, its nonce, or 'unsafe-inline' does not appear in the script-src directive of the Content Security Policy...

It occurs when trying to inject the script into the page context which as script Content Security Policy (CSP).

Injecting into the content script context @inject-into content usually circumvent this issue.
Use @inject-into with the value content or auto (default).
auto attempts to inject into the page context and if an error occurs it automatically fallback to content.
Ref. Metadata

This error is due to the webpage's CSP, which the user has no control over.
While injecting into the content context will usually allow script execution, it is not always a perfect solution since there are some things you can not accomplish in the content script context.
Unfortunately, it is the only alternative for strict CSP, currently.

[TraderStf]

If you have other previous error-solutions to add to the FAQ, just point me to them, I will do the blabla 💼
A good faq is less wasted time for you with rookies like me 😜

[quoid]

@TraderStf I have already done this for next update, but thank you for offer.