I ran into a problem when setting up the content-security-policy http response header.
When the header is set, the browser can’t render the website anymore, due to the following error: “content security policy: the page’s settings blocked the loading of a resource at inline (“default-src”)”.
The issue seems to stem from inline scripts, that are present in the html-files that the webserver suplies to the client.
The issue can be mitigated by adding the ‘unsafe-inline’ keyword to the http header. This doesn’t seem to be best practice, however. Is it possible to prevent the creation of inline scripts?
We are currently on 4.1.1 and are hosting on IIS 10.