Skip to main content
Solved

Refused to execute inline script because it violates the following Content Security policy directive

n8mandreza

I’m trying to implement an OAuth flow to connect my team’s DAM to a Figma plugin to allow us to fetch assets from the DAM from Figma. At the moment I’m running into a CSP error when I try to use Figma.showUI.

Note: Using more generic URLs here

In main.ts:

  figma.showUI(
    `<script>window.location.href = "https://oauth.vercel.app"</script>`,
    {height: 640, width: 440}
  )

The full console error reads:

Refused to execute inline script because it violates the following Content Security Policy directive: “default-src data: blob: https://company.dam.com https://oauth.vercel.app”. Either the ‘unsafe-inline’ keyword, a hash (‘sha256-Q+8tPsjVtiDsjF/Cv8FMOpg2Yg91oKFKDAJat1PPb2g=’), or a nonce (‘nonce-…’) is required to enable inline execution. Note also that ‘script-src’ was not explicitly set, so ‘default-src’ is used as a fallback.

I tested it by replacing window.location.href = "https://oauth.vercel.app" with my own personal website (and added my personal site’s URL to networkAccess.allowedDomains) which worked. I’m unsure now why I’m getting the inline script error.

Best answer by n8mandreza

If anyone runs into this error, I had to fix the CSP header in my hosted UI.

View original

Gleb
  • Gleb
  • Power Member
  • March 16, 2024

https://www.figma.com/plugin-docs/oauth-with-plugins/

n8mandreza

If anyone runs into this error, I had to fix the CSP header in my hosted UI.

Reply


Terms & ConditionsCookie settings

Cookie policy

We use cookies to enhance and personalize your experience. If you accept you agree to our full cookie policy. Learn more about our cookies.

 
Cookie settings