Content Security Policy


I am using Dragon 45 (the most recent version compatible with Windows XP) to test web pages.

I have a page (in fact many) with up to 50 thumbnails (photos) on each. Each thumbnail is a link which opens a new window with the photo full-size:

This works fine with all navigators except the Chrome family - the CSP refuses all inline JS and the onClick doesn’t fire.

I have put
Header set Content-Security-Policy “script-src ‘self’ ‘unsafe-inline’”
in the .htaccess and this is correctly returned in the HTTP headers from my Apache server, but the onClick still doesn’t work.

What am I doing wrong/not doing?

Thanks, regards

PS - threre are more than 1000 of these links - I can’t replace all the onClicks with event listeners!