How do I find which resource is being blocked?

Check the browser console. The error message names the violated directive (e.g. script-src) and the blocked URL. Add that URL to the appropriate directive in your CSP.

Should I use unsafe-inline to fix CSP violations?

unsafe-inline in script-src allows any inline script to execute, which defeats XSS protection. Use nonces or hashes for inline scripts instead of unsafe-inline.

CSP Error

Content Security Policy Directive Violated

Q: What does CSP directive violated mean?

Your Content Security Policy blocked a resource from loading because its source was not in the allowed list for that directive. The browser enforces the policy and logs which directive and source caused the violation.

Last updated: April 2026

Browser Console Error

Refused to load the script 'https://cdn.example.com/script.js' because it violates the following Content Security Policy directive: "script-src 'self'". Note that 'script-src-elem' was not explicitly set, so 'script-src' is used as a fallback.

Your Content Security Policy blocked a resource because its source was not in the allowed list for that directive. The browser console tells you exactly which directive was violated and which URL was blocked.

Scan your live CSP →

How to read the error

The error message contains three key pieces of information: the blocked URL, the violated directive, and which directive is being used as a fallback. Example:

Refused to load the script 'https://cdn.example.com/script.js'
  because it violates "script-src 'self'"

This tells you: add https://cdn.example.com to your script-src directive.

Fix — add the blocked source to the directive

# Before
Content-Security-Policy: default-src 'self'; script-src 'self'

# After — add the CDN to script-src
Content-Security-Policy: default-src 'self'; script-src 'self' https://cdn.example.com

Common violations and fixes

Google Fonts blocked

style-src 'self' https://fonts.googleapis.com;
font-src 'self' https://fonts.gstatic.com;

Google Analytics blocked

script-src 'self' https://www.googletagmanager.com https://www.google-analytics.com;
img-src 'self' https://www.google-analytics.com;

Inline scripts blocked

# Option 1 — use a nonce (most secure)
Content-Security-Policy: script-src 'self' 'nonce-RANDOM_VALUE'
# In HTML: <script nonce="RANDOM_VALUE">...</script>

# Option 2 — use a hash
Content-Security-Policy: script-src 'self' 'sha256-HASH_OF_SCRIPT'

# Option 3 — unsafe-inline (least secure, avoid if possible)
Content-Security-Policy: script-src 'self' 'unsafe-inline'

iframe blocked by frame-src

frame-src 'self' https://www.youtube.com https://player.vimeo.com;

Use report-only mode to find violations without breaking

Content-Security-Policy-Report-Only: default-src 'self'; script-src 'self'; report-uri /csp-report

Report-only mode logs violations to the console and to your report endpoint without actually blocking anything. Use it to audit your CSP before enforcing it.

Directive reference

default-src — fallback for all resource types not explicitly listed.

script-src — JavaScript sources. Violations here block script execution.

style-src — CSS sources. Violations here block stylesheet loading.

img-src — image sources including data: URIs.

font-src — web font sources.

frame-src — sources for iframes and frames.

connect-src — URLs for fetch, XHR, WebSocket connections.