Share via

CSP 1.0 breaks inline script

Support for the W3C Content Security Policy specification may cause inline script to break.

Microsoft Edge implements Content Security Policy (CSP) 1.0. For extended details, please read the W3C Content Security Policy specification or a helpful article about CSP 1.0 over at

CSP is implemented by sending an HTTP header that defines your security policy. Using it can cause unintended consequences for sites that use inline JavaScript or onClick handlers in HTML elements. To guard against script injection, these methods of inserting and calling JavaScript will instead cause errors and page functionality that depends on them will break.

The recommended workaround is to keep all JavaScript in external files and import it with <script src="[name of file]"> elements, and replace all onClick handlers in your HTML with addEventListener() handlers in your JavaScript code.