Reputation: 103
The Content Security Policy 'default-src * data:;' was delivered via a <meta> element outside the document's <head>
<head>
<meta charset="utf-8">
<meta name="viewport" content="width=device-width, initial-scale=1, maximum-scale=1, user-scalable=no">
<meta http-equiv="Content-Security-Policy" content="default-src * data:; style-src * 'unsafe-inline'; script-src * 'unsafe-inline' 'unsafe-eval'">
<script src="components/loader.js"></script>
<script src="lib/angular/angular.min.js"></script>
<script src="lib/onsenui/js/onsenui.min.js"></script>
<script src="lib/onsenui/js/angular-onsenui.min.js"></script>
<link rel="stylesheet" href="components/loader.css">
<link rel="stylesheet" href="lib/onsenui/css/onsenui.css">
<link rel="stylesheet" href="lib/onsenui/css/onsen-css-components.css">
<link rel="stylesheet" href="css/style.css">
</head>
This 'meta' tag is working in index.html but it doesn't work in other .html pages. I tried to change the config.html from this
<allow-navigation href="*"/>
to this.
<allow-navigation href="http://*/*"/>
I've tried to change the meta tag but I still get this error.
Can anyone help me? Thanks in advance.
Upvotes: 5
Views: 13730
Answers (3)
Reputation: 25704
Similar to Andrew DeVries' answer https://stackoverflow.com/a/53326635/31668, my issue in a custom VS Code extension, which is based on Electron, also experienced the same error, and was due to a UTF-8 BOM.
In my case the fix was to remove the BOM from the document, which many text editors support. For example, in Windows Notepad you can select Save As, and then choose the encoding as UTF-8, which does not have a BOM.
Then in VS Code this file worked with a <meta http-equiv="Content-Security-Policy" content="..." /> tag.
Upvotes: 0
Reputation: 151
I saw this error because I was doing an include of a file that contained the meta tag and the utf8 prefix on the file was causing the issue. Using an IIS web.config like so made it work and easier to manager changes then an include
<?xml version="1.0"?>
<configuration>
<system.webServer>
<httpProtocol>
<customHeaders>
<!-- In Order for the Mobile App to Access Sota we need to remove the X-Fram-Options and fall back to the newer Content-Security-Policy we include /include/Content-Security-Policy-->
<remove name="X-Frame-Options"/>
<add name="Content-Security-Policy" value="default-src 'self'; style-src 'self' 'unsafe-inline'; media-src *; script-src 'self' 'unsafe-eval' 'unsafe-inline'; img-src 'self'"/>
</customHeaders>
</httpProtocol>
</system.webServer>
</configuration>
Upvotes: 0
Reputation: 61
Regarding your error. I was getting the same error but it was because I was var_dump-ing to the screen above the <head> as part of my testing. I suppose similar problem or error would arise if you printed/echoed/wrote to the screen above the meta tag somewhere.
Upvotes: 4
Related Questions
- Refused to load the script because it violates the following Content Security Policy directive
- How to define Content-Security-Policy in Cordova properly?
- "No Content-Security-Policy meta tag found." error in my phonegap application
- Refused to load the image because it violates content-securtiy-policy -- Cordova
- Content-Security-Policy error https://ssl.gstatic.com
- Cordova - refuse to execute inline event handler because it violates the following content Security policy
- Cordova error: Refused to execute inline script because it violates the following Content Security Policy directive
- Cordova : Content Security Policy directive: "media-src *"
- The Content-Security-Policy directive 'child-src' is implemented behind a flag which is currently disabled
- Content Security Policy Error