when using script-src 'self', I constantly get Error: Refused to execute inline event handler because it violates the following Content Security Policy directive: "script-src 'self'"

I have moved all JS to xx.JS file, even removed all references to meta tags, onclick, onload & style and still get the error.

Error: Refused to execute inline event handler because it violates the following Content Security Policy directive: "script-src 'self'"

This error means your CSP is blocking inline event handlers in HTML code, Inlining event handlers is bad practice, All inline scripts are considered a vulnerability and a high security risk.

So the best thing to do would be to replace this event handler with a proper one written in your JS file. In addition, this error may also be caused by inline styles (styles <style> </style> in html files), so inline styles also need to be removed.

If this doesn't work, try adding 'unsafe-hashes' to your script-src.

If the answer is the right solution, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".

Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the email notification for this thread.

Best regards,

Yurong Dai