Content security policy error https://ssl.gstatic.com
I am getting the following problem
http://i.stack.imgur.com/lFQ9x.png
Refused to evaluate a string as JavaScript because 'unsafe-eval'
is not an allowed source of script in the following Content Security Policy directive:
"default-src file:
data: chrome-extension: https://ssl.gstatic.com".
Note that 'script-src' was not explicitly set, so 'default-src' is used as a fallback.
Does anyone know how to resolve this error in Content-Security-Policy?
My meta tag in index.html :
<meta http-equiv="Content-Security-Policy"
content="default-src * 'self' 'unsafe-eval' 'unsafe-inline'
data: ssl.gstatic.com https://ssl.gstatic.com;
style-src * 'self' 'unsafe-inline'
chrome-extension: ssl.gstatic.com;
script-src * 'unsafe-inline' 'unsafe-eval' 'self'
chrome-extension: file: data: http: https: ssl.gstatic.com
https://ssl.gstatic.com">
I am using CCA with Onsen UI.
+3
source to share
1 answer
Your question has been flagged as a Google Chrome App question.
Chrome apps obey a very specific CSP and cannot override it .
default-src 'self';
connect-src *;
style-src 'self' data: chrome-extension-resource: 'unsafe-inline';
img-src 'self' data: chrome-extension-resource:;
frame-src 'self' data: chrome-extension-resource:;
font-src 'self' data: chrome-extension-resource:;
media-src *;
Your Chrome app can only link to scripts and objects in your app, excluding media files (apps can link to video and audio outside of the package). Chrome extensions allow you to relax the default content security policy; Chrome apps won't.
Then the documentation will have a helpful "How to ..." section . Take a look at this and see what suits you.
+4
source to share