3

I am trying to set up a simple application using the play framework 2.6 and scala and I can't seem to run inline javascript off my html templates. I keep getting the error:

Refused to execute inline script because it violates the following Content Security Policy directive: "default-src 'self'". Either the 'unsafe-inline' keyword, a hash ('sha256-DdH/amfJizOgk2xZ+Xst5j13qHxPYrrrfT6x/TzfYiA='), or a nonce ('nonce-...') is required to enable inline execution. Note also that 'script-src' was not explicitly set, so 'default-src' is used as a fallback.

My scala code is:

package controllers
import javax.inject._
import play.api._
import play.api.mvc._
import play.twirl.api.Html
class HomeController @Inject()(cc: ControllerComponents) extends 
AbstractController(cc) {

def index() = Action { implicit request: Request[AnyContent] =>
  Ok(views.html.main("Hello World"))
}
}

And my html.main.html file looks like:

@(title: String)

<!DOCTYPE html>
<html lang="en">
    <head>
        <meta http-equiv="Content-Security-Policy" content="default-src 'self'">
        <title>@title</title>
        <link rel="stylesheet" media="screen" 
href="@routes.Assets.versioned("stylesheets/main.css")">
        <link rel="shortcut icon" type="image/png" 
href="@routes.Assets.versioned("images/favicon.png")">

    </head>
    <body>
        <script type = "text/javascript">
            document.write("Check");
        </script>

        <script src = "@routes.Assets.versioned("javascripts/main.js")" type = 
"text/javascript"></script>
    </body>
</html>

So ideally it should print "Check" on the screen when I connect by the local host. I tried changing my application.conf file to be

play.filters.headers.contentSecurityPolicy = null

But that didn't work either. What else can I try?

Improve this question
3
  • This might sound crazy but try moving the inline script so it's the last javascript tag.. Then try an alert("Check") instead Commented Feb 14, 2018 at 16:34
  • @RobertUdah I just tried it and that didn't work Commented Feb 14, 2018 at 17:26
  • 1
    Doesn't look like this is specific to Play. Check out stackoverflow.com/questions/8502307/… Commented Feb 14, 2018 at 18:32

2 Answers 2

Reset to default
3

The

play.filters.headers.contentSecurityPolicy = null

is correct, now remove

<meta http-equiv="Content-Security-Policy" content="default-src 'self'">

and then it must work as you expected

Improve this answer
Sign up to request clarification or add additional context in comments.

2 Comments

'play.filters.headers.contentSecurityPolicy = null' is not best practice.
@MHJ, of course, it is not. I just answer how it could work if you want it to work. The author can use it for fast prototyping or so. It has reason to be, either the Play authors must exclude the ability to set content security policy to null.
2

The best way to avoid this problem would be to use an extra javascript file which contains your code. but i had a similiar problem and solved it by setting a very long policy in my application.conf

play.filters.headers.contentSecurityPolicy = "default-src 'self';script-src 'self' https://my-site.com 'unsafe-inline';style-src 'self' https://my-site.com;font-src 'self' https://my-site.com;img-src 'self' https://my-site.com data:"

my-site.com is the hostname from where my app is served.

Improve this answer

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.