Azure Static Web Apps page fails because CSP blocks an inline script
Refused to execute a script because its hash, its nonce, or 'unsafe-inline' does not appear in the script-src directive of the Content Security Policy.
A deployed Azure Static Web Apps site rendered HTML but failed during client-side startup because the Content Security Policy blocked an inline script required by the app runtime.
Refused to execute a script because its hash, its nonce, or 'unsafe-inline' does not appear in the script-src directivedeployment
Observed message
Refused to execute a script because its hash, its nonce, or 'unsafe-inline' does not appear in the script-src directive of the Content Security Policy.
Why it happens
The deployed site sends a Content Security Policy that is stricter than the framework runtime can satisfy.
The script-src directive allows only external scripts and blocks inline runtime bootstrapping code.
A custom security-header configuration was added without accounting for the JavaScript framework's startup requirements.
How to fix it
Review the deployed Content Security Policy headers and confirm that the script-src directive is compatible with the app runtime.
If the framework requires inline startup scripts, add an appropriate nonce, hash, or controlled inline allowance instead of blocking all inline execution.
Redeploy after updating the header configuration and retest in the browser console to confirm the CSP error is gone.
