[Pendragon] inline script error

Hi all, (I posted this in the bug section, but was recommended to post it in the character sheet forum, so...) I noticed that character sheets are not displaying properly in my Pendragon game - for some reason there seems to be a problem with image loading on the sheet - nothing in the console apart from the following message: app.roll20.net/:6 Refused to execute inline script because it violates the following Content Security Policy directive: "script-src 'self' 'unsafe-eval' 'nonce-Dz3xJ4rPmMFO0Pvk' 'nonce-fhzjxfD2PUQLQVSI'&nbsp; <a href="https://cdn.roll20.net" rel="nofollow">https://cdn.roll20.net</a> &nbsp;&nbsp; <a href="https://www.datadoghq-browser-agent.com" rel="nofollow">https://www.datadoghq-browser-agent.com</a> &nbsp; <a href="http://cdn.inspectlet.com" rel="nofollow">http://cdn.inspectlet.com</a> &nbsp;https://*.googlesyndication.com https://*.doubleclick.net&nbsp; <a href="https://partner.googleadservices.com" rel="nofollow">https://partner.googleadservices.com</a> &nbsp; <a href="https://www.googletagservices.com" rel="nofollow">https://www.googletagservices.com</a> &nbsp; <a href="https://ssl.google-analytics.com" rel="nofollow">https://ssl.google-analytics.com</a> &nbsp; <a href="https://www.google-analytics.com" rel="nofollow">https://www.google-analytics.com</a> &nbsp; <a href="https://ajax.googleapis.com" rel="nofollow">https://ajax.googleapis.com</a> &nbsp; <a href="http://ajax.googleapis.com" rel="nofollow">http://ajax.googleapis.com</a> &nbsp; <a href="https://d3clqjduf2gvxg.cloudfront.net" rel="nofollow">https://d3clqjduf2gvxg.cloudfront.net</a> &nbsp; <a href="https://cdn.firebase.com" rel="nofollow">https://cdn.firebase.com</a> &nbsp;https://*.firebaseio.com https://*.tokbox.com https://*.opentok.com&nbsp; <a href="http://static.opentok.com" rel="nofollow">http://static.opentok.com</a> &nbsp; <a href="http://www.google-analytics.com" rel="nofollow">http://www.google-analytics.com</a> &nbsp; <a href="http://cdn.crowdin.com" rel="nofollow">http://cdn.crowdin.com</a> &nbsp; <a href="https://crowdin.com" rel="nofollow">https://crowdin.com</a> &nbsp; <a href="http://stun.l.google.com" rel="nofollow">http://stun.l.google.com</a> &nbsp;*.sentry-cdn.com https://*.fullstory.com&nbsp; <a href="https://cdn.userleap.com" rel="nofollow">https://cdn.userleap.com</a> ". Either the 'unsafe-inline' keyword, a hash ('sha256-vesdt34+00Dgp25cKC3RSg5MJKOHhBCiNcNWC61Mem4='), or a nonce ('nonce-...') is required to enable inline execution. Sheet was working fine until now. Bug reproduced by all players, and in Chrome and Edge Any idea what might cause that?

When this happens, it's usually because the image url is broken. That image you see is the standard roll20 placeholder for missing images. I don't know if you normally get a script warning like that - maybe the image link has been hijacked and replaced with malware and roll20's security is stopping it loading. Either way, the root cause is the same - the image link is broken. Images on a sheet are just links to a picture hosted somehwere else. You can host it in the roll20 github, and that makes them safe. But some images are hosted in imgur, photobucket or other external sites, and they sometimes get removed, causing it to not show up on the sheet. The only way this can be fixed is for someone to edit the sheet, and replace the image link (hopefully pointing to a copy of the original link, but at worst case removing the link).

Thanks for the pointer, we'll have a look at it :)

Thanks David, it's not the same character sheet though, it's a different one - "Pendragon French" it is called :) Looks like the issue has to do with a missing image in the background, modified the css &amp; created a pull request - hopefully it should resolve the issue

Yes indeed, I created the request :) Fingers crossed it can go through today

Griselame said: Yes indeed, I created the request :) Fingers crossed it can go through today This thread can be closed then.

I would say so yes :)