A nonce is a random value generated per HTTP request. Add it to the CSP header (script-src 'nonce-abc123') and to each allowed script tag ( ). The nonce changes every request, so injected scripts cannot guess it.

How do I handle Google Analytics with CSP?

Add Google Analytics domains to script-src: 'https://www.googletagmanager.com https://www.google-analytics.com'. For the inline gtag script, use a nonce. Or move the gtag initialization to an external JS file.

CSP Blocked Inline Script — Content Security Policy Script Execution Error

Warningsecurity

Overview

Fix Content-Security-Policy blocking inline scripts and event handlers with 'Refused to execute inline script' errors in the browser console.

Key Details

Content-Security-Policy (CSP) script-src directive controls which scripts can execute on the page
A strict CSP blocks inline scripts (script tags without src, onclick handlers, javascript: URLs)
CSP prevents Cross-Site Scripting (XSS) by blocking script injection into the page
Nonces (per-request random values) or hashes allow specific inline scripts through the CSP
The error appears in the browser console: 'Refused to execute inline script because it violates CSP'

Common Causes

CSP script-src does not include 'unsafe-inline' and page uses inline scripts
Dynamic script injection (document.write, innerHTML with scripts) blocked by CSP
Third-party widget or analytics snippet using inline scripts blocked by the CSP policy
CSP nonce not matching the nonce attribute on the inline script tag

Steps

1Move inline scripts to external .js files and include them via script src (best practice)
2Use nonces: add 'nonce-randomValue' to CSP script-src and nonce='randomValue' to the script tag
3Use hashes: compute SHA-256 of the inline script content and add 'sha256-hash' to CSP script-src
4For inline event handlers (onclick, onload): move to addEventListener in an external JS file
5As last resort: add 'unsafe-inline' to script-src (reduces CSP security significantly)

Related Items

browser-mixed-content-blocked-https

More in Security

windows-defender-errorsWindows Defender Errors — Antivirus Not Working or Updating

Error

windows-error-0x80073b01-defender-serviceWindows Error 0x80073B01 — Windows Defender Service Failed to Start

Error

windows-bitlocker-recovery-key-errorsBitLocker Recovery Key Errors — Drive Locked and Recovery Key Not Found

Critical

mac-gatekeeper-app-blockedMac Gatekeeper — App Cannot Be Opened (Unidentified Developer)

Warning

mac-filevault-recovery-errorsMac FileVault Errors — Encryption, Decryption & Recovery Key Issues

Error

mac-keychain-errors-passwordsMac Keychain Errors — Password Prompts, Locked Keychain, and Repair Guide

Warning

Frequently Asked Questions

Avoid it if possible. 'unsafe-inline' allows any inline script to execute, which defeats CSP's XSS protection. Use nonces (generated per request) or hashes (computed from script content) to allow only specific inline scripts.

CSP Blocked Inline Script — Content Security Policy Script Execution Error

Overview

Key Details

Common Causes

Steps

Tags

Related Items

More in Security

Frequently Asked Questions