Reputation: 471
Content security policy including a script
I need to include this script https://apis.google.com/js/api:client.js in my website. On Google Chrome it works fine, but on Firefox (and IE obviously), I get some errors:
Content Security Policy: Ignoring “‘unsafe-inline’” within script-src: ‘strict-dynamic’ specified
Content Security Policy: Ignoring “https:” within script-src: ‘strict-dynamic’ specified
Content Security Policy: Ignoring “http:” within script-src: ‘strict-dynamic’ specified
I tried to change the content security policy header in a meta tag but it didn't work.
I tried with all of these:
<meta http-equiv="Content-Security-Policy" content="default-src 'none'; img-src 'self'; script-src 'self' apis.google.com; style-src 'self';">
<meta http-equiv="Content-Security-Policy" content="default-src 'self' apis.google.com">
<meta http-equiv="Content-Security-Policy" content="script-src 'self' 'unsafe-eval' https://*.google.com; object-src 'self' 'unsafe-eval'">
<meta http-equiv="Content-Security-Policy" content="script-src 'self' 'unsafe-eval' apis.google.com;">
Upvotes: 47
Views: 41710
Answers (2)
Reputation: 611
I know this question is a year old, but it's still one of the first things to come up when searching for this problem, and as yet doesn't have the correct answer.
I understand. I'm one of those people who likes to see a pristine console in production, so stuff like this drives me nuts, but there's actually nothing we can do about it. Firefox is reporting warnings out to the console when it shouldn't.
Both Mozilla and Google recommend including fallback CSP1 policies along with CSP3's 'strict-dynamic'. Browsers that understand 'strict-dynamic' should ignore the CSP1 policies, and browsers that don't should ignore the unrecognized 'strict-dynamic' and follow the CSP1 policies. The operative word is ignore. Truly ignoring includes not announcing you're ignoring.
Upvotes: 42
Reputation: 2465
You have to edit the CSP headers not on the HTML, but on the server HTTP headers, do you have control of the server?
Meta tags and such will be ignored because the HTTP Headers take precedence, fix those first.
Upvotes: 3
Related Questions
- Html Error: Refused to load the script because it violates the following Content Security Policy directive
- How to fix:"Refused to run the JavaScript URL because it violates the following Content Security Policy..."
- Content Security Policy violation on external Js Script
- Content Security Policy self blocking inline
- Content Security Policy bypass
- Refused to load scripts because it violates the following Content Security Policy directive
- Violates the following Content Security Policy directive
- Why does my code violate the Content Security Policy?
- Loading script and manifest violates Content Security Policy directives
- Why is inline script forbidden (Content Security Policy)?