I am trying to deliver an SVG response with the help of NodeJS. This SVG has a small inline JavaScript code that dynamically calculates the width of the SVG. Everything works when the APIs are called directly using the browser. But when I use these APIs in GitHub's readme (to server SVGs in readmes) it's not allowing me to run this inline JavaScript code stored in SVG.
When any SVG is added a link is generated by the github and it looks like ::
https://camo.githubusercontent.com/some-unique-id-for-each-content and when I opened this link directly in browser it show the following error in browser's console:
Refused to execute inline script because it violates the following Content Security Policy directive: "default-src 'none'". Either the 'unsafe-inline' keyword, a hash ('sha256-'), or a nonce ('nonce-...') is required to enable inline execution. Note also that 'script-src' was not explicitly set, so 'default-src' is used as a fallback.
But the problem is that I am setting the custom Content-Security-Policy headers before sending the response, which looks like this:
res.setHeader("Content-Type", "image/svg+xml");
res.setHeader("Content-Security-Policy", "default-src 'self'; img-src data:; style-src 'unsafe-inline'; script-src 'self' 'unsafe-inline'");
And it seems that the custom script-src is not working with github readmes. I have also tried to set the hash value, but nothing is affecting the headers.
Can anyone correct me or tell me what's wrong in here?
See Question&Answers more detail:
os 与恶龙缠斗过久,自身亦成为恶龙;凝视深渊过久,深渊将回以凝视…
