0

I'm trying to add the Comodo Trust Seal on my site but it gives this error in chrome:

Refused to execute inline script because it violates the following Content Security Policy directive: "default-src 'none'". Either the 'unsafe-inline' keyword, a hash ('sha256-vhrQsqENchpHihJQOgFTEaBmOiOTI6hAqox4RMB8duY='), or a nonce ('nonce-...') is required to enable inline execution. Note also that 'script-src' was not explicitly set, so 'default-src' is used as a fallback.

this is comodo code:

<script type="text/javascript"> //<![CDATA[
  var tlJsHost = ((window.location.protocol == "https:") ? "https://secure.trust-provider.com/" : "http://www.trustlogo.com/");
  document.write(unescape("%3Cscript src='" + tlJsHost + "trustlogo/javascript/trustlogo.js' type='text/javascript'%3E%3C/script%3E"));
//]]></script>
<script language="JavaScript" type="text/javascript">
  TrustLogo("https://ssl.comodo.com/images/seals/sectigo_trust_seal_lg_2x.png", "SECDV", "none");
</script>

How can I fix this error?

Improve this question
1
  • Did you ask Comodo to give you an updated snippet? The correct path security wise is indeed the sha256 hash (see w3schools.com/Tags/att_script_integrity.asp) but obviously it needs to be maintained... Commented Apr 9, 2022 at 1:23

1 Answer 1

Reset to default
1

Your server is presenting a Content Security Policy header, which defines that default-src is 'none'.

A None value means that no external or internal scripts can execute unless a valid nonce or SHA256 checksum is present.

You could modify the Content Security Policy header to allow self-hosted scripts, and in this case, the one from comodo:

default-src 'self' *.comodo.com;

Another approach is to whitelist the script using SHA256.

Improve this answer

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.