When I remove unsafe-inline from script-src on my CSP headers I get multiple errors on Modernizr 2.8.3 and a error on JQuery 2.1.3. It's strange because I only get this error on one of my sites although I am using the same libraries on others with no CSP issue.
Error example:
Refused to apply inline style because it violates the following Content Security Policy directive: "style-src 'self' *.github.com *.bootstrapcdn.com *.jsdelivr.net *.twitter.com *.googleapis.com *.google.com dmjwor2go9n1u.cloudfront.net". Either the 'unsafe-inline' keyword, a hash ('sha256-CwE3Bg0VYQOIdNAkbB_Btdkhul49qZuwgNCMPgNY5zw='), or a nonce ('nonce-...') is required to enable inline execution.I have a hunch is has something to do with the part of the script:
style = ['­','<style id="s', mod, '">', rule, '</style>'].join('');When I click the chrome console to link me to the error I get placed around here:
<style id="s',v,'">',e,"</style>"].join(""),u.id=v,(l?u:d).innerHTML+=a,d.appendChild(u)
Pretty lost as to why this is happening and can't seem to find any real direction in my google searching. Could these errors be firing as to how I am using these libraries? Any help or insight is appreciated.
