Refused to apply inline style.. ERROR Play 2.6.x


#1

Hi,

I cant display CSS style in chrome or firefox instead I get this error:

Refused to apply inline style because it violates the following Content Security Policy directive: “default-src ‘self’”. Either the ‘unsafe-inline’ keyword, a hash (‘sha256-Px7/U7FvVB0gdAHejj6zZ5qhvm1sCBXmO7rJkx3iyhE=’), or a nonce (‘nonce-…’) is required to enable inline execution. Note also that ‘style-src’ was not explicitly set, so ‘default-src’ is used as a fallback.

Can someone help me with this?

Thanks


(Will Sargent) #2

Set your content security policy to null.

https://www.playframework.com/documentation/2.6.x/SecurityHeaders

More here

https://nvisium.com/resources/blog/2017/10/04/play-2-6-security-analysis.html


#3

Thanks, I solved my problem and here is how

  1. Open application.conf

  2. Find “Security headers filter configuration” and replace headers with this:

headers {

# The X-Frame-Options header. If null, the header is not set.
#frameOptions = null

# The X-XSS-Protection header. If null, the header is not set.
#xssProtection = null

# The X-Content-Type-Options header. If null, the header is not set.
#contentTypeOptions = null

# The X-Permitted-Cross-Domain-Policies header. If null, the header is not set.
#permittedCrossDomainPolicies = null

# The Content-Security-Policy header. If null, the header is not set.
#contentSecurityPolicy = null

}

  1. Find the “Disabled filters remove elements from the enabled list.” and replace with that:

disabled += “play.filters.headers.SecurityHeadersFilter”

  1. Save the file and you are good to go

(Greg Methvin) #4

If you really want to disable the filter, you shouldn’t need anything more than:

play.filters.disabled += "play.filters.headers.SecurityHeadersFilter"

Just keep in mind that Play is trying to be helpful here. If you have a web app it’s a good idea to set these headers to reasonable values to prevent XSS.


(Will Sargent) #5

You have the section behind comments, so that doesn’t do anything.

You also don’t need to disable the filter. You only need to set

contentSecurityPolicy = null

and that should take care of it.