Content Security Policy directive violated on a simple website

Question

Sorry to bother you but I'm working on my personnal website and trying to integrate a Google Map (thank you codepen for the great templates).

But I have to face a recurrent CSP error message, leading the map not to load:

Refused to load the script 'https://maps.googleapis.com/maps/api/js?key=AIzaSyBlSsS5JzdJLsuMEY24xeLAZOc7JAH6sr8' because it violates the following Content Security Policy directive: "script-src 'self' www.google-analytics.com".

I made reseaches before asking my question, as it seems to be a problem for quite some people. I tried everything, including removing the Google Analytics script and addind this:

<meta http-equiv="Content-Security-Policy" content="script-src 'self' https://apis.google.com https://maps.googleapis.com https://maps.gstatic.com www.google-analytics.com ajax.googleapis.com; object-src 'self'">

But it didn't change anything. My map won't load, and it kind of pisses me of !

Do you have any idea what I made wrong ? Thanks a lot for your help ! (if needed, I can show you the error in live, but I don't want to "promote" my site here)

Answer 1

Line 479 of your .htaccess file says:

Header set Content-Security-Policy "script-src 'self' www.google-analytics.com"

Not sure your meta tag can override this.

You should probably modify that line in your .htaccess file instead, to include your other sources (in the case of Google Maps, "https://maps.googleapis.com").