Collectives™ on Stack Overflow

Find centralized, trusted content and collaborate around the technologies you use most.

Teams

Q&A for work

Connect and share knowledge within a single location that is structured and easy to search.

Cordova error: Refused to execute inline script because it violates the following Content Security Policy directive

Refused to execute inline script because it violates the following Content Security Policy directive: "default-src 'self' data: gap: https://ssl.gstatic.com 'unsafe-eval'". Either the 'unsafe-inline' keyword, a hash ('sha256-iacGaS9lJJpFDLww4DKQsrDPQ2lxppM2d2GGnzCeKkU='), or a nonce ('nonce-...') is required to enable inline execution. Note also that 'script-src' was not explicitly set, so 'default-src' is used as a fallback.

My code is as follows:

    <!DOCTYPE html> 
        <meta http-equiv="Content-Security-Policy" content="default-src 'self' data: gap: https://ssl.gstatic.com 'unsafe-eval'; style-src 'self' 'unsafe-inline'; media-src *; img-src 'self' data: content:;">
        <meta name="format-detection" content="telephone=no">
        <meta name="msapplication-tap-highlight" content="no">
        <meta name="viewport" content="user-scalable=no, initial-scale=1, maximum-scale=1, minimum-scale=1, width=device-width">
        <link rel="stylesheet" type="text/css" href="css/index.css">
        <title>Hello World</title>
        <script> 
            $(document).ready(function()
                $("#tryit").click(function() {   
                    document.getElementById("msg").innerHTML = "hello";
        </script>
    </head>
        <button id="tryit">Try it</button>
        <div id="msg"></div>
        <script type="text/javascript" src="cordova.js"></script>
        <script type="text/javascript" src="js/index.js"></script>
    </body>
</html>
In the class, I wrote this:
cordova create hello2 com.example.hello2 hello2
cordova platform add android
cordova build 
I think it has to do with "cordova-plugin-whitelist"
, but I don't know how to uninstall the NPM
You need to add 'unsafe-inline' to the Content-Security-Policy; either to the default-src or explicitly for Javascript using script-src. So try something like:
<meta http-equiv="Content-Security-Policy" content="default-src 'self' data: gap: https://ssl.gstatic.com 'unsafe-eval' 'unsafe-inline'; style-src 'self' 'unsafe-inline'; media-src *; img-src 'self' data: content:;">
                dont work:  "Refused to execute inline script because it violates the following Content Security Policy directive: "default-src 'self'". Either the 'unsafe-inline' keyword, a hash ('sha256-LdEltaoIZrExAQZ54F5NNnSz57M='), or a nonce ('nonce-...') is required to enable inline execution. Note also that 'script-src' was not explicitly set, so 'default-src' is used as a fallback."
– padavan
                Dec 25, 2022 at 14:49
Simply add this code in index.html 

<meta http-equiv="Content-Security-Policy" script-src='unsafe-inline';>
For more information visit:
https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/script-src#Unsafe_inline_script
                dont work:  "Refused to execute inline script because it violates the following Content Security Policy directive: "default-src 'self'". Either the 'unsafe-inline' keyword, a hash ('sha256-LdEltaoIZrExAQZ54F5NNnSz57M='), or a nonce ('nonce-...') is required to enable inline execution. Note also that 'script-src' was not explicitly set, so 'default-src' is used as a fallback."
– padavan
                Dec 25, 2022 at 14:49
        
Thanks for contributing an answer to Stack Overflow!
Please be sure to answer the question. Provide details and share your research!
But avoid …
Asking for help, clarification, or responding to other answers.
Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.