Content Security Policy - Server is not considering meta content

Question

I have a strange problem with one server (Hosting company is etisalat in UAE). The website is not loading external scripts (also google fonts) or background images and some javascript.

The error I get in console is like:

"Content Security Policy: The page’s settings blocked the loading of a resource at https://fonts.googleapis.com/css?family=Noto+Sans:400,700,400italic (“default-src http://riviera.ae http://googleapis.com”)"

I've tried adding the following to section:

<meta http-equiv="Content-Security-Policy" content="default-src * 'unsafe-inline' 'unsafe-eval'">

But still it does not load it. The images and other works well in internet explorer (But XHR gives error. I haven't tested it completely).

Also tried the following in .htaccess

Header set Content-Security-Policy "default-src 'self' googleapis.com; script-src 'self' www.googleapis.com;"

Hope it's not against stackoverflow policies to share the link of the domain (riviera.ae). Thanks for checking it out.

NB: I tried putting the same application in another server (*nix based systems with apache 2+) and it works fine. Even a phpinfo() gives the output in plain text (No PHP logo is shown nor the table styles are rendered).

Answer 1

I got it working by putting "Header unset Content-Security-Policy" in the .htaccess file. Have to add other derivatives to make it secure though.