Why is my CSP header middleware not working in Django?

I have an issue with the CSP Header and how-to parameters in the setting.py in my Django apps. Do you know how to set up for script and style source? and how to put the 'unsafe-inline' and 'style-src-elem' ? can someone explain how parameters works ?

setting.py

MIDDLEWARE = [
    'csp.middleware.CSPMiddleware', ...]
   

    CSP_DEFAULT_SRC = ("'none'", )
    CSP_STYLE_SRC = ("'self'", "'unsafe-inline'", "fonts.googleapis.com", "'unsafe-inline'", 'https://stackpath.bootstrapcdn.com')
    CSP_SCRIPT_SRC = ("'self'", "'unsafe-inline'", "ajax.googleapis.com", "www.googletagmanager.com", "www.google-analytics.com", 'https://cdn.jsdelivr.net','https://code.jquery.com', "'unsafe-inline'", 'https//ajax.cloudflare.com', "'unsafe-inline'", 'http://cdnjs.cloudflare.com/ajax/libs/highlightjs-line-numbers.js/')
    CSP_IMG_SRC = ("'self'", "data:", "www.googletagmanager.com", "www.google-analytics.com")
    CSP_FONT_SRC = ("'self'", "'unsafe-inline'", "fonts.gstatic.com",'https://fonts.cdnfonts.com', 'https://stackpath.bootstrapcdn.com')
    CSP_CONNECT_SRC = ("'self'", )
    CSP_OBJECT_SRC = ("'none'", )
    CSP_BASE_URI = ("'none'", )
    CSP_FRAME_ANCESTORS = ("'none'", )
    CSP_FORM_ACTION = ("'self'", )
    CSP_INCLUDE_NONCE_IN = ('script-src','script-src-elem')

    CSP_REPORT_ONLY = True

Error return from google chrome localhost console

Do you what should I do? is there an easier way?

Back to Top