I ran into a problem with a webpage that I'd made. When I accessed it, it did not seem to work, and the console told me: Content Security Policy: The page's settings blocked the loading of a resource at inline ("default-src"). (To get to the console in Firefox, click the icon in the upper-right corner that looks like 3 horizontal line segments, then "Web Developer" from the drop-down menu, then "Web Console".) What's worse is that when I looked to find a solution, it appeared that the page itself was the problem. I tried a few things that did not work, before I realized that the same page worked well, when I accessed it from a different server. That is, I copied the code from one server to another. Loading it (from Firefox) from one server gave me this error. Loading it (also from Firefox) from the other server did not give me this error, and it worked fine. So it must be something on the server that is causing this problem. Fortunately, I have the access to fix the problem in the server. On the server that hosts the page, the "/etc/httpd/conf/httpd.conf" file said: Header set Content-Security-Policy "default-src 'self';" I changed it to say: Header set Content-Security-Policy "default-src 'self' script-src 'unsafe-inline';" Now the script in the webpage works, at least partly. It still objected to the set.interval call. So I changed it again to: Header set Content-Security-Policy "default-src 'self' script-src 'unsafe-inline' 'unsafe-eval';" and then it worked. -MCW, February 7, 2020 ---------- Update: The file works fine under Firefox. I got a report that someone was still getting an error message, but has not been able to show me exactly what is happening. I tried loading these files under Chrome, and it admonished me with "The Content Security Policy directive 'default-src' contains 'script-src' as a source expression. Did you mean 'default-src ...; script-src...' (note the semicolon)?" So I added a semi-colon to the line, as below: [mweeks@gamedev conf]$ diff httpd_conf.good httpd.conf 362c362 < Header set Content-Security-Policy "default-src 'self' script-src 'unsafe-inline' 'unsafe-eval';" --- > Header set Content-Security-Policy "default-src 'self'; script-src 'unsafe-inline' 'unsafe-eval';" [mweeks@gamedev conf]$ I restarted the apache server, and still got this message after reloading the test pages. Then I cleared all the cache from Chrome, shut it down, restarted it, and it no longer gave me that error. The browser seemed to remember the old .htaccess file even after the server's copy was changed, and even after tha server was restarted, Now it works, at least under FireFox and Chrome. -MCW Wed Feb 26, 2020