Jamie Hutber
Reputation: 28076
How to use Content-Security-Policy with localhost files
I am getting the following error on my page:
Refused to load the script 'http://127.0.0.1:35729/livereload.js' because it violates the following Content Security Policy directive: "script-src https: 'unsafe-inline' 'unsafe-eval'".
HTML
<meta http-equiv="Content-Security-Policy" content="default-src * 'unsafe-inline'; style-src * 'unsafe-inline'; script-src * 'unsafe-inline' 'unsafe-eval'; img-src * data: 'unsafe-inline'; connect-src * 'unsafe-inline'; frame-src *;">
</head>
<body>
<script src="http://127.0.0.1:35729/livereload.js"></script>
I have tried to use a completely open just to get it working and then work backwards, however I even get the same error with this.
To be clear, this isn't for producition code, this is just to enable my live-reload-webpack on a domain that is using https.
Upvotes: 8
Views: 22404
Answers (1)
Zelda
Reputation: 2124
You can use localhost:, though I believe using 'self' (including the single quotes) would also suffice in this situation. There are some odd cases where * is not actually all-inclusive (blob: for example is also excluded from * I believe).
As always it's good to check out your CSP with Google's Evaluator first.
Upvotes: 10
Related Questions
- Allow All Content Security Policy?
- how to add Content Security Policy (CSP)
- Content Security Policy bypass
- Content security policy including a script
- CSP - allowing my own scripts from given directory
- Content Security Policy ( style-src ) when load from localhost:xxxx
- Cors error on loading local css and js files
- Is it unsafe to add localhost to Content Security Policy?
- Refused to connect to URL because of violation of Content Security Policy
- How can you avoid cross-origin policy error when trying to access localhost?