IIS Content Security Policy

Harold 1 Reputation point
2022-08-25T13:56:50.36+00:00

when using script-src 'self', I constantly get Error: Refused to execute inline event handler because it violates the following Content Security Policy directive: "script-src 'self'"

I have moved all JS to xx.JS file, even removed all references to meta tags, onclick, onload & style and still get the error.

Internet Information Services
0 comments No comments
{count} votes

1 answer

Sort by: Most helpful
  1. Yurong Dai-MSFT 2,776 Reputation points Microsoft Vendor
    2022-08-26T05:57:40.247+00:00

    Error: Refused to execute inline event handler because it violates the following Content Security Policy directive: "script-src 'self'"

    This error means your CSP is blocking inline event handlers in HTML code, Inlining event handlers is bad practice, All inline scripts are considered a vulnerability and a high security risk.

    So the best thing to do would be to replace this event handler with a proper one written in your JS file. In addition, this error may also be caused by inline styles (styles <style> </style> in html files), so inline styles also need to be removed.

    If this doesn't work, try adding 'unsafe-hashes' to your script-src.


    If the answer is the right solution, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".

    Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the email notification for this thread.

    Best regards,

    Yurong Dai