Content Security Policy?
a) I just noticed that your pfp is
++i, I do the same thing.
Now, to answer your question, yes!
Report that right away at /bugs. I never checked Repl.it's HTTP headers at all, especially not for
script-src allows a server to create a whitelist of what scripts and origins that a script may be executed from and requested from in a document served from the server.
Example: a server sends an HTML document, the document has an inline script, if the CSP only whitelists HTTPS served URLs, then it won't load.
In your case, it's denying everything, that is very bad.
It can also be set in a meta tag, but you didn't do that here, so it has to be Replit's server.
It's not a Repl.it issue, Repl.it server does not send any Content Security Policy, because you able to embed into page any trird-party JS libs/widgets - jQuery, MooTools, Dojo Widgets, reCaptcha, etc...
Repl.it have no chances to open all these in CSP, therefore it does not use it at all.
It could be 2 opts:
- you did place <meta http-equiv="Content-Security-Policy" content="script-src 'none';"> tag in
<head>sect. Very low probability because you asked this question.
- Some Chrome extensions like NoScript can inject Content Security Policy header
Content-Security-Policy: script-src 'none'to block all scripts at the page.
But blocked script:
http://tiny-blue-square--programmeruser.repl.co/script.js is definitely your script (it's marked by your nicname programmeruser), therefore the lock occurs in Repl.it's iframe where it shows results of code run.
No, it's it a problem with your code https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/script-src