Nginx - The Webserver
The problem:
(index):12 Applying inline style violates the following Content Security Policy directive 'default-src 'self''. Either the 'unsafe-inline' keyword, a hash ('sha256-6SxzJ0zhbEsnD+jnZJ2jGwtq0IZQ8qPCTQKVBzW1jlU='), or a nonce ('nonce-...') is required to enable inline execution. Note also that 'style-src' was not explicitly set, so 'default-src' is used as a fallback. The action has been blocked.
...
(index):20 Executing inline script violates the following Content Security Policy directive 'script-src 'self''. Either the 'unsafe-inline' keyword, a hash ('sha256-7x9P718mvjeYHFtuP1i5KNU6LKjLUWAY1HqSbWRAp6s='), or a nonce ('nonce-...') is required to enable inline execution. The action has been blocked.
...
(index):1 Loading the script 'https://code.jquery.com/jquery-3.7.1.min.js' violates the following Content Security Policy directive: "script-src 'self'". Note that 'script-src-elem' was not explicitly set, so 'script-src' is used as a fallback. The action has been blocked.
...
(index):1 Loading the script 'https://unpkg.com/lunr@2.3.9/lunr.min.js' violates the following Content Security Policy directive: "script-src 'self'". Note that 'script-src-elem' was not explicitly set, so 'script-src' is used as a fallback. The action has been blocked.
The conclusion
Der Webserver in Verbindung mit dem Browser hat verboten, die Scripte und Styles zu lesen.
The remedy
add_header Content-Security-Policy "default-src 'self'; script-src 'self' https://unpkg.com/lunr@2.3.9/ https://code.jquery.com/ 'unsafe-inline'; style-src 'self' 'unsafe-inline'";
Nun geht es erstmal, allerdings ist 'unsafe-inline' bestimmt nicht gut. Um das zu ändern, müsste ich aber glaube ich die Hashes ändern?
Vielleicht ist das ein Hinweis, dass die Fehlermeldung mit sha-256 hashes ist, der Code aber mit sha-384 und sha-512 hashes arbeitet?
Ich hätte erstmal gedacht, das ist egal.
Where can we further look into?
Note that 'script-src-elem' was not explicitly set, so 'script-src' is used as a fallback.