Refused To Execute Inline Script Following Content Security Policy Directive Violation

Issue Description: On accessing the Orchestrator, it does not load properly and throws below error in browser developer console,

“Refused to execute inline script because it violates the following Content Security Policy directive: "default-src 'self'". Either the 'unsafe-inline' keyword, a hash ('sha256-orD0/VhH8hLqrLxKHD/HUEMdwqX6/0ve7c5hspX5VJ8='), or a nonce ('nonce-...') is required to enable inline execution. Note also that 'script-src' was not explicitly set, so 'default-src' is used as a fallback”

Root Cause: Generally such errors occurs when there is custom rule in HTTP response Header "Content Security Policy " having value " "default-src 'self'".


  • Go to IIS Select and select the Orchestrator under Sites
  • Go to “HTTP Response Headers.”
  • Check if there is any Content security policy for custom http response header rule. if yes then remove the Content security policy custom rule

Read more on the Hardening Server Security By Implementing Security Headers .