What causes this error?

See the explanation and causes in the article above.

How do I fix it quickly?

Use HttpFixer — it sends a real request to your API and shows exactly what is missing.

Error

CSP: Refused to Load Script — Fix

Exact Browser Console Error

Refused to load the script 'https://cdn.example.com/widget.js' because it violates the following Content Security Policy directive: "script-src 'self'". Note that 'script-src-elem' was not explicitly set, so 'script-src' is used as a fallback.

Your CSP is blocking a script. The error tells you exactly what was blocked and which directive caused it. Add the domain to script-src.

Read the error — it tells you exactly what to add

From the error above: https://cdn.example.com/widget.js is blocked. The directive is script-src. The fix is adding https://cdn.example.com to script-src.

Add the domain to script-src

# Nginx
add_header Content-Security-Policy "default-src 'self'; script-src 'self' https://cdn.example.com;" always;

# Vercel (vercel.json)
{ "key": "Content-Security-Policy", "value": "default-src 'self'; script-src 'self' https://cdn.example.com;" }

# Express
res.setHeader('Content-Security-Policy', "default-src 'self'; script-src 'self' https://cdn.example.com;");

Resource type to directive

Script blocked      → add to script-src
Stylesheet blocked  → add to style-src
Image blocked       → add to img-src
API call blocked    → add to connect-src
Font blocked        → add to font-src
Iframe blocked      → add to frame-src

Have multiple violations? CSPFixer scans your live page and generates a complete CSP that allows all your legitimate resources.

Scan all blocked resources → CSPFixer