CSP errors and warnings (Content Security Policy)
Draft
This page is not complete.
This page will be a parent for reference articles about CSP errors and warnings, and will provide an overview of them, and generic troubleshooting advice, if possible.
The errors
- The pageâs settings blocked the loading of a resource: %1$S
- The pageâs settings blocked the loading of a resource at %2$S (â%1$Sâ).
- A violation occurred for a report-only CSP policy (â%1$Sâ). The behavior was allowed, and a CSP report was sent.
- The pageâs settings observed the loading of a resource at %2$S (â%1$Sâ). A CSP report is being sent.
- Tried to send report to invalid URI: â%1$Sâ
- couldnât parse report URI: %1$S
- Couldnât process unknown directive â%1$Sâ
- Ignoring unknown option %1$S
- Ignoring duplicate source %1$S
- Ignoring source â%1$Sâ (Not supported when delivered via meta element).
- Ignoring â%1$Sâ within script-src or style-src: nonce-source or hash-source specified
- Ignoring â%1$Sâ within script-src: âstrict-dynamicâ specified
- Ignoring source â%1$Sâ (Only supported within script-src).
- Keyword âstrict-dynamicâ within â%1$Sâ with no valid nonce or hash might block all scripts from loading
- The report URI (%1$S) should be an HTTP or HTTPS URI.
- This site (%1$S) has a Report-Only policy without a report URI. CSP will not block and cannot report violations of this policy.
- Failed to parse unrecognized source %1$S
- An attempt to execute inline scripts has been blocked
- An attempt to apply inline style sheets has been blocked
- An attempt to call JavaScript from a string (by calling a function like eval) has been blocked
- Upgrading insecure request â%1$Sâ to use â%2$Sâ
- Ignoring srcs for directive â%1$Sâ
- Interpreting %1$S as a hostname, not a keyword. If you intended this to be a keyword, use â%2$Sâ (wrapped in single quotes).
- Not supporting directive â%1$Sâ. Directive and values will be ignored.
- Blocking insecure request â%1$Sâ.
- Ignoring â%1$Sâ since it does not contain any parameters.
- Ignoring sandbox directive when delivered in a report-only policy â%1$Sâ
- Referrer Directive â%1$Sâ has been deprecated. Please use the Referrer-Policy header instead.
- Ignoring â%1$Sâ because of â%2$Sâ directive.
- Couldnât parse invalid source %1$S
- Couldnât parse invalid host %1$S
- Couldnât parse scheme in %1$S
- Couldnât parse port in %1$S
- Duplicate %1$S directives detected. All but the first instance will be ignored.
- Directive â%1$Sâ has been deprecated. Please use directive âworker-srcâ to control workers, or directive âframe-srcâ to control frames respectively.
- Couldnât parse invalid sandbox flag â%1$Sâ