Fix guide · high · csp_external_script_blocked

External <script src=> blocked by declared CSP

What this rule means

A <script src="https://..."> tag in your HTML loads from an origin that your declared CSP doesn't allow under script-src. The browser refuses to fetch or execute it.

Why it matters

Your CSP's script-src directive lists the origins permitted to host JavaScript on your page. When an HTML <script src="..."> tag references an origin not on that list, the browser blocks the load — no fetch, no execution, no fallback. The result is a missing dependency in production.

Common causes we see:

  1. Dependency added without updating the policy. A developer integrated a new analytics tool or third-party widget but the CSP header (often stored in _headers, nginx config, or a CDN-level rule) wasn't updated alongside.
  2. Subdomain mismatch. Policy says script-src 'self' cdn.example.com, but the actual tag loads from assets.example.com or static.cdn.example.com. CSP host-matching is exact (or wildcard via *.example.com); subdomain drift breaks it.
  3. Schema mismatch. Policy lists https://example.com but the tag uses //example.com (protocol-relative) that resolved to http:// on an http page. CSP source matching requires schemes to match.

Symptom: page functionality silently degrades in production. Tracking analytics stop reporting. Embedded chat widgets don't appear. Some Edge browsers throw console errors more loudly than others, so the bug often slips through QA.

How to fix it

  1. Confirm the tag should be there. If the dependency is intentional, you need to allow its origin. If it's an artifact (left from a removed integration, accidental commit), remove the tag.
  2. Add the origin to script-src. Be specific — use the exact host, not a wildcard:

``http Content-Security-Policy: script-src 'self' https://js.stripe.com https://cdn.example.com; ``

  1. For multiple subdomains of one operator, use the explicit wildcard:

``http script-src 'self' https://*.stripe.com; ` This is safer than 'https:'` (which allows ANY https origin).

  1. Always pair with Subresource Integrity on third-party scripts (see /fix/missing_sri_external_script). CSP says "this origin is allowed"; SRI says "this exact byte sequence is allowed." Both together prevent CDN compromise.
  2. Don't add 'unsafe-inline' or wildcards to make the error go away. That's how strict CSPs degrade into permissive ones. If you need an exception, scope it tightly.

Did vibecheck flag this on your app?

If you reached this page from a vibecheck inspection report, the redacted match in your scan output is the exact string we found in your bundle. After applying the fix above, run the inspection again — the finding should clear.

Run another inspection

Related fix guides