Content-Security-Policy for Cordova not loading external scripts and stylesheets (404 error)

Question

I currently have the 'Content-Security-Policy' meta tag for Cordova set to:

<meta http-equiv="Content-Security-Policy" content="default-src 'self' data: gap: https://ssl.gstatic.com 'unsafe-eval'; style-src 'self' 'unsafe-inline'; media-src *">

If I run the Android emulator, I see the following error:

Refused to load the stylesheet 'https://....min.css' because it violates the following Content Security Policy directive: "style-src 'self' 'unsafe-inline'".

If I change the 'Content-Security-Policy' meta tag to:

<meta http-equiv="Content-Security-Policy" content="default-src 'self' data: gap: https://* 'unsafe-eval'; style-src 'self' https://* 'unsafe-inline'; media-src *">

I get the following error:

Failed to load resource: the server responded with a status of 404 (Not Found)

How do I fix this so I don't get a 404 error, and it loads remote stylesheets and scripts?

I am 100% sure that the remote file does exist.

Answer 1

Add to config .xml :

<access origin="*" />
    <allow-intent href="http://*/*" />
    <allow-intent href="https://*/*" />
    <platform name="android">
        <allow-intent href="market:*" />
    </platform>

and in index.html :

<meta http-equiv="Content-Security-Policy" content="default-src *; style-src * 'unsafe-inline'; script-src * 'unsafe-inline' 'unsafe-eval'; img-src * data: 'unsafe-inline'; connect-src * 'unsafe-inline'; frame-src *;">
<meta http-equiv="Content-Security-Policy" content="default-src * gap://ready file:; style-src 'self' 'unsafe-inline' *; script-src 'self' 'unsafe-inline' 'unsafe-eval' *">