Title: style-src
Last modified: June 27, 2024

---

# style-src

 *  Resolved [fuzzy21](https://wordpress.org/support/users/fuzzy21/)
 * (@fuzzy21)
 * [1 year, 11 months ago](https://wordpress.org/support/topic/style-src/)
 * I cannot figure out how to fix this:
 * [Report Only] Refused to execute inline script because it violates the following
   Content Security Policy directive: “script-src ‘self’ https: [https://cdnjs.cloudflare.com](https://cdnjs.cloudflare.com)
   [https://script.crazyegg.com](https://script.crazyegg.com) ‘nonce-2214f199ebd499f0d215-
   shortened’ ‘report-sample'”. Either the ‘unsafe-inline’ keyword, a hash (‘sha256-
   d5AXR2g0ALC-shortened’), or a nonce (‘nonce-…’) is required to enable inline 
   execution.
 * I whitelisted all the urls.
 * I have nonce enabled on style-src. Is there something else need to do?
 * This is happening on the default WordPress page of the site. It’s an internal
   site, so I don’t ahve a url.

Viewing 8 replies - 1 through 8 (of 8 total)

 *  Plugin Author [Giuseppe](https://wordpress.org/support/users/mociofiletto/)
 * (@mociofiletto)
 * [1 year, 11 months ago](https://wordpress.org/support/topic/style-src/#post-17862217)
 * I think you should include the 2 domains in your script-src directive from the“
   base rules” tab and chose nonce for external sources in script-src (the option
   is in the settings tab)
 *  Thread Starter [fuzzy21](https://wordpress.org/support/users/fuzzy21/)
 * (@fuzzy21)
 * [1 year, 11 months ago](https://wordpress.org/support/topic/style-src/#post-17863700)
 * I entered the domains and nonce was selected, but still not working. The domain
   is whitelisted as well. I changed to hash and then back to nonce, but still…
 *  Plugin Author [Giuseppe](https://wordpress.org/support/users/mociofiletto/)
 * (@mociofiletto)
 * [1 year, 11 months ago](https://wordpress.org/support/topic/style-src/#post-17864437)
 * In your previous message you said that nonce was enabled for style-src and not
   for script-src. Can you double check it and post a screenshot of your settings?
 * More, can you post the relevant part of the html with the <script> tags that 
   require those sources?
 * There could be a problem if those tags are added by another script that uses 
   appendChild() or insertBefore() (I am working on this for next release) but it
   is impossible to guess it, if I cannot see the page.
 *  Thread Starter [fuzzy21](https://wordpress.org/support/users/fuzzy21/)
 * (@fuzzy21)
 * [1 year, 11 months ago](https://wordpress.org/support/topic/style-src/#post-17864556)
 * ![](https://i0.wp.com/live.staticflickr.com/65535/53831336029_d70125a997_m.jpg?
   ssl=1)
 * ![](https://i0.wp.com/live.staticflickr.com/65535/53831432190_a946db1e83_m.jpg?
   ssl=1)
 * Hopefully you can see those. Settings are both nonce…
 *  Plugin Author [Giuseppe](https://wordpress.org/support/users/mociofiletto/)
 * (@mociofiletto)
 * [1 year, 10 months ago](https://wordpress.org/support/topic/style-src/#post-17864816)
 * that is not an external script, but an inline one.
 * Please, enable nonce for inline scripts too (it is another option called **inline_scripts_mode**)
   and it is just beyond SRI options.
 * Do you know how it is added to the page? It is after the html closing tab, why?
 *  Thread Starter [fuzzy21](https://wordpress.org/support/users/fuzzy21/)
 * (@fuzzy21)
 * [1 year, 10 months ago](https://wordpress.org/support/topic/style-src/#post-17866080)
 * inline scripts is set to nonce.
 * It is Query Monitor plugin that is putting it in there.
 * Thanks,
 *  Plugin Author [Giuseppe](https://wordpress.org/support/users/mociofiletto/)
 * (@mociofiletto)
 * [1 year, 10 months ago](https://wordpress.org/support/topic/style-src/#post-17874404)
 * [@fuzzy21](https://wordpress.org/support/users/fuzzy21/) I’m working on this 
   issue.
 * The problem is:
   no-unsafe-inline (via its mu-plugin) adds a closure to the shutdown
   action hook with 0 priority (and this is needed to be sure that the closure is
   executed before wp runs ob_end_flush() on each open output buffer level);
 * query-monitor adds to the shutdown hook an action to dispatch its output with
   a priority of 9 [https://github.com/johnbillion/query-monitor/blob/2b58634b37b8e7de52d8363c741053f42b7c8079/dispatchers/Html.php#L52](https://github.com/johnbillion/query-monitor/blob/2b58634b37b8e7de52d8363c741053f42b7c8079/dispatchers/Html.php#L52)
 * This causes that the action added by query monitor runs after that no-unsafe-
   inline performs its stuff, and this is why the query-monitor inline scripts are
   not captured (and cannot be whitelisted).
 * However, if I simply increase the priority of the no-unsafe-inline closure to
   something bigger than 9, it will run after that wp default action has run because
   the wp core adds this action with a priority of 1:
 * [https://github.com/WordPress/wordpress-develop/blob/e3e7fdbf7c3fd9f04871118a16b98f1544e94984/src/wp-includes/default-filters.php#L413](https://github.com/WordPress/wordpress-develop/blob/e3e7fdbf7c3fd9f04871118a16b98f1544e94984/src/wp-includes/default-filters.php#L413)
 * Now I’m testing a solution that will early remove the default wp action when 
   no-unsafe-inline is in place, and then, arise the no-unsafe-inline closure priority
   to be sure it runs after all others actions added to the shutdown hook.
 * Please, wait for next release, and thanks for reporting.
 *  Thread Starter [fuzzy21](https://wordpress.org/support/users/fuzzy21/)
 * (@fuzzy21)
 * [1 year, 10 months ago](https://wordpress.org/support/topic/style-src/#post-17893934)
 * Great, thank you, looking forward to trying it.

Viewing 8 replies - 1 through 8 (of 8 total)

The topic ‘style-src’ is closed to new replies.

 * ![](https://ps.w.org/no-unsafe-inline/assets/icon-256x256.png?rev=2699768)
 * [No unsafe-inline](https://wordpress.org/plugins/no-unsafe-inline/)
 * [Frequently Asked Questions](https://wordpress.org/plugins/no-unsafe-inline/#faq)
 * [Support Threads](https://wordpress.org/support/plugin/no-unsafe-inline/)
 * [Active Topics](https://wordpress.org/support/plugin/no-unsafe-inline/active/)
 * [Unresolved Topics](https://wordpress.org/support/plugin/no-unsafe-inline/unresolved/)
 * [Reviews](https://wordpress.org/support/plugin/no-unsafe-inline/reviews/)

 * 8 replies
 * 2 participants
 * Last reply from: [fuzzy21](https://wordpress.org/support/users/fuzzy21/)
 * Last activity: [1 year, 10 months ago](https://wordpress.org/support/topic/style-src/#post-17893934)
 * Status: resolved