How to fix "Content Security Policy - contains an invalid source" error?

Question

Im getting this error and I don´t know why, the scripts that I have included works? And the error only shows up when I load a subpage. Not when I load the startpage. So what Im I doing wrong?

The source list for Content Security Policy directive 'script-src' contains an invalid source: ''strict-dynamic''. It will be ignored.

<meta http-equiv="Content-Security-Policy" content="script-src *  'unsafe-inline' 'unsafe-eval' https://checkout.dibspayment.eu https://www.google-analytics.com https://maps.google.com;">

Any input really appreciated, thanks.

Answer 1

And the error only shows up when I load a subpage. Im getting this error and I don´t know why
The source list for Content Security Policy directive 'script-src' contains an invalid source: ''strict-dynamic''. It will be ignored.

It's not an error, just a warning that you browser does not support the 'strict-dynamic' token. (guess you use Safari).

I guess that subpage is a some Google's iframe (oAuth2, reCaptcha, etc). That iframe publush it's own CSP wich contains the 'strict-dynamic' token and this CSP was created in browsers backward compatibility mode (Google make such).

That's a warning from third-party CSP, not your's.

the scripts that I have included works?

Your parent page has own CSP which allows scripts. The CSP of nested browsing context (iframe) does not affects parent page (except the frame-ancestors directive).

So what Im I doing wrong?

Nothing. It's an intended regular work of Content Security Policy.
Each browsing context can have its own CSP. But all warns will flow to one browser console, and that is mislead.