Menu
I need to include this script https://apis.google.com/js/api:client.js in my website. On Google Chrome it works fine, but on Firefox (and IE obviously), I get some errors:
Content Security Policy: Ignoring “‘unsafe-inline’” within script-src: ‘strict-dynamic’ specified
Content Security Policy: Ignoring “https:” within script-src: ‘strict-dynamic’ specified
Content Security Policy: Ignoring “http:” within script-src: ‘strict-dynamic’ specified
I tried to change the content security policy header in a meta tag but it didn't work.
I tried with all of these:
<meta http-equiv="Content-Security-Policy" content="default-src 'none'; img-src 'self'; script-src 'self' apis.google.com; style-src 'self';"> <meta http-equiv="Content-Security-Policy" content="default-src 'self' apis.google.com"> <meta http-equiv="Content-Security-Policy" content="script-src 'self' 'unsafe-eval' https://*.google.com; object-src 'self' 'unsafe-eval'"> <meta http-equiv="Content-Security-Policy" content="script-src 'self' 'unsafe-eval' apis.google.com;"> 
377
Writing a policyA policy needs to include a default-src or script-src directive to prevent inline scripts from running, as well as blocking the use of eval() . A policy needs to include a default-src or style-src directive to restrict inline styles from being applied from a <style> element or a style attribute.
Other methods. The unsafe-inline source list value can be used to allow inline scripts, but this also defeats much of the purpose of CSP. CSP Level 3 (newest browsers) support a source list value: unsafe-hashes which can be used to allow inline script in javascript event handlers (eg onclick or onmouseover , etc).
The Content Security Policy (CSP) prevents cross-site scripting attacks by blocking inline execution of scripts and style sheets. To solve this, move all inline scripts (e.g. onclick=[JS code]) and styles into external files. adding the hash or nonce of the inline script to your CSP header.
The HTTP Content-Security-Policy (CSP) script-src directive specifies valid sources for JavaScript. This includes not only URLs loaded directly into <script> elements, but also things like inline script event handlers ( onclick ) and XSLT stylesheets which can trigger script execution.
I know this question is a year old, but it's still one of the first things to come up when searching for this problem, and as yet doesn't have the correct answer.
I understand. I'm one of those people who likes to see a pristine console in production, so stuff like this drives me nuts, but there's actually nothing we can do about it. Firefox is reporting warnings out to the console when it shouldn't.
Both Mozilla and Google recommend including fallback CSP1 policies along with CSP3's 'strict-dynamic'. Browsers that understand 'strict-dynamic' should ignore the CSP1 policies, and browsers that don't should ignore the unrecognized 'strict-dynamic' and follow the CSP1 policies. The operative word is ignore. Truly ignoring includes not announcing you're ignoring.
57
You have to edit the CSP headers not on the HTML, but on the server HTTP headers, do you have control of the server?
Meta tags and such will be ignored because the HTTP Headers take precedence, fix those first.
43
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
