Refused to execute inline script because it violates the following Content Security policy directive

Question

I’m trying to implement an OAuth flow to connect my team’s DAM to a Figma plugin to allow us to fetch assets from the DAM from Figma. At the moment I’m running into a CSP error when I try to use Figma.showUI.

Note: Using more generic URLs here

In main.ts:

  figma.showUI(
    `<script>window.location.href = "https://oauth.vercel.app"</script>`,
    {height: 640, width: 440}
  )

The full console error reads:

Refused to execute inline script because it violates the following Content Security Policy directive: “default-src data: blob: https://company.dam.com https://oauth.vercel.app”. Either the ‘unsafe-inline’ keyword, a hash (‘sha256-Q+8tPsjVtiDsjF/Cv8FMOpg2Yg91oKFKDAJat1PPb2g=’), or a nonce (‘nonce-…’) is required to enable inline execution. Note also that ‘script-src’ was not explicitly set, so ‘default-src’ is used as a fallback.

I tested it by replacing window.location.href = "https://oauth.vercel.app" with my own personal website (and added my personal site’s URL to networkAccess.allowedDomains) which worked. I’m unsure now why I’m getting the inline script error.

n8mandreza · Accepted Answer

If anyone runs into this error, I had to fix the CSP header in my hosted UI.

Gleb · Answer

https://www.figma.com/plugin-docs/oauth-with-plugins/

Sign up

Login with SSO

Login to the community

Login with SSO

Scanning file for viruses.

This file cannot be downloaded