{
  "id": "flutter/flutter-web-csp-violation",
  "signature": "Content Security Policy: The page's settings blocked the loading of a resource at inline-script",
  "signature_zh": "内容安全策略：页面设置阻止了内联脚本资源的加载",
  "regex": "Content Security Policy: The page's settings blocked the loading of a resource at inline-script",
  "domain": "flutter",
  "category": "config_error",
  "subcategory": null,
  "root_cause": "Flutter web app requires inline scripts (e.g., for CanvasKit or service workers) but the server's Content Security Policy (CSP) header blocks them, often due to missing 'unsafe-inline' or nonce.",
  "root_cause_type": "generic",
  "root_cause_zh": "Flutter Web 应用需要内联脚本（例如用于 CanvasKit 或 Service Worker），但服务器的内容安全策略（CSP）标头阻止了它们，通常是由于缺少 'unsafe-inline' 或 nonce。",
  "versions": [
    {
      "version": "Flutter 3.16",
      "introduced": null,
      "deprecated": null,
      "removed": null,
      "behavior_change": null,
      "status": "active"
    },
    {
      "version": "Dart 3.2",
      "introduced": null,
      "deprecated": null,
      "removed": null,
      "behavior_change": null,
      "status": "active"
    },
    {
      "version": "Chrome 120",
      "introduced": null,
      "deprecated": null,
      "removed": null,
      "behavior_change": null,
      "status": "active"
    },
    {
      "version": "Firefox 121",
      "introduced": null,
      "deprecated": null,
      "removed": null,
      "behavior_change": null,
      "status": "active"
    }
  ],
  "os_specific": {},
  "dead_ends": [
    {
      "action": "",
      "why_fails": "Disabling CSP exposes the app to XSS attacks and violates security best practices; many hosting providers enforce CSP at the infrastructure level.",
      "fail_rate": 0.6,
      "condition": "",
      "sources": []
    },
    {
      "action": "",
      "why_fails": "Switching renderers may change visual behavior and performance; it also doesn't resolve CSP issues if the app still uses inline scripts for other purposes.",
      "fail_rate": 0.5,
      "condition": "",
      "sources": []
    },
    {
      "action": "",
      "why_fails": "If the server already sends a CSP header, the meta tag is ignored; the more restrictive policy applies, so the error persists.",
      "fail_rate": 0.7,
      "condition": "",
      "sources": []
    }
  ],
  "workarounds": [
    {
      "action": "Update the server's CSP header to include 'script-src 'self' 'unsafe-inline' 'unsafe-eval';' for Flutter web apps. For nginx: `add_header Content-Security-Policy \"script-src 'self' 'unsafe-inline' 'unsafe-eval'\";`",
      "success_rate": 0.9,
      "how": "Update the server's CSP header to include 'script-src 'self' 'unsafe-inline' 'unsafe-eval';' for Flutter web apps. For nginx: `add_header Content-Security-Policy \"script-src 'self' 'unsafe-inline' 'unsafe-eval'\";`",
      "condition": "",
      "sources": []
    },
    {
      "action": "Use a nonce-based CSP: generate a random nonce per request and add it to the script tag in the HTML template, then set `script-src 'self' 'nonce-{nonce}'`.",
      "success_rate": 0.85,
      "how": "Use a nonce-based CSP: generate a random nonce per request and add it to the script tag in the HTML template, then set `script-src 'self' 'nonce-{nonce}'`.",
      "condition": "",
      "sources": []
    },
    {
      "action": "Build Flutter web with `--web-renderer canvaskit --csp` to enable CSP-compatible mode, then adjust the server CSP to allow only 'self' for scripts and styles.",
      "success_rate": 0.8,
      "how": "Build Flutter web with `--web-renderer canvaskit --csp` to enable CSP-compatible mode, then adjust the server CSP to allow only 'self' for scripts and styles.",
      "condition": "",
      "sources": []
    }
  ],
  "workarounds_zh": [
    "Update the server's CSP header to include 'script-src 'self' 'unsafe-inline' 'unsafe-eval';' for Flutter web apps. For nginx: `add_header Content-Security-Policy \"script-src 'self' 'unsafe-inline' 'unsafe-eval'\";`",
    "Use a nonce-based CSP: generate a random nonce per request and add it to the script tag in the HTML template, then set `script-src 'self' 'nonce-{nonce}'`.",
    "Build Flutter web with `--web-renderer canvaskit --csp` to enable CSP-compatible mode, then adjust the server CSP to allow only 'self' for scripts and styles."
  ],
  "transition_graph": {
    "leads_to": [],
    "preceded_by": [],
    "frequently_confused_with": []
  },
  "official_doc_url": "https://docs.flutter.dev/deployment/web#content-security-policy",
  "official_doc_section": null,
  "error_code": null,
  "verification_tier": "ai_generated",
  "confidence": 0.84,
  "fix_success_rate": 0.88,
  "resolvable": "true",
  "first_seen": "2024-05-12",
  "last_confirmed": "2024-06-01",
  "last_updated": "2024-06-01",
  "evidence_count": 1,
  "tags": [],
  "locale": "en",
  "aliases": []
}