CSP Header and Cross domain Ajax call

Question

my server (my.server.com) produces a HTML page that call another service (external.server.com) for load data. For the ajax call i'm using jquery.

$.ajax({
     url:"https://external.server.com/check",
     dataType: 'get', 
     success:function(json){
         // do stuff with json (in this case an array)
         $("userContainer").append(json);
     },
     error:function(){
         alert("Error");
     }      
});

When i'm trying to call the service i receive a browser error:

Refused to connect to 'https://external.server.com/check' because it violates the following Content Security Policy directive: "default-src 'self'"

In my HTML page i'm loading javascript resources like that:

<script src="webjars/jquery/1.9.1/jquery.min.js"></script>

<script src="js/custom.js"></script>

And my CSP Header configuration is:

<meta http-equiv="Content-Security-Policy" content="default-src my.server.com; script-src 'unsafe-inline' my.server.com; connect-src external.server.com">

<meta http-equiv="X-Content-Security-Policy" content="default-src my.server.com; script-src 'unsafe-inline' my.server.com; connect-src external.server.com">

<meta http-equiv="X-Content-Security-Policy" content="default-src my.server.com; script-src 'unsafe-inline' my.server.com; connect-src external.server.com">
<meta http-equiv="Access-Control-Allow-Origin" content="*">

What am I doing wrong?

Thanks

Answer 1

You have to use the connect-src policy not the content, as You can see the error is because it refuses to CONNECT, to solve that add:

Content-Security-Policy: connect-src 'self' https://external.server.com/check; 

Make sure you add the full URL including http://....etc

For more information go to https://content-security-policy.com/connect-src/

Answer 2

use "default-src *"

you can follow the below link its's may be helpful for you.

click here