Refused to load script from https://connect.facebook.net/

yaaryvp · January 4, 2025, 1:54pm

v2025.4

the following line used in custom file with included common files:


<script async defer crossorigin="anonymous" src="https://connect.facebook.net/en_US/sdk.js"></script>

and returned

shop:1 Refused to load the script 'https://connect.facebook.net/en_US/sdk.js' because it violates the following Content Security Policy directive: "script-src 'self' https://www.google-analytics.com https://*.googleapis.com https://*.gstatic.com https://*.google.com *.google.com https://*.ggpht.com https://*.googleusercontent.com *.googleusercontent.com https://js.pusher.com https://cdn.tiny.cloud https://*.youtube.com 'unsafe-inline' 'unsafe-eval' blob:". Note that 'script-src-elem' was not explicitly set, so 'script-src' is used as a fallback.

in advanced settings I have Access-Control-Allow-Origin → *

ty

arbei · January 4, 2025, 2:37pm

yaaryvp · January 4, 2025, 3:04pm

Hi.
So for 2025, I need to allow souces for js like so:

Config()->append("CSP.script-src.allow", "https://connect.facebook.net");

and this goes in Server Events → Global → All PAges → Global Code

So this worked. Just wondering if I need it for specific custom page, can I limit it to that custom page?

arbei · January 5, 2025, 1:08am

You may check the current URL, e.g. ScriptName(), first.