All geek questions in one place

Content Security Policy, including script

I need to enable this https://apis.google.com/js/api:client.js script on my website. It works fine on Google Chrome, but on Firefox (and IE, obviously) I get a few errors:

Content Security Policy: Ignoring "unsafe-inline" in script-src: specified strictly dynamic

Content Security Policy: Ignore "https:" in script-src: "strict-dynamic" file

Content Security Policy: Ignore "http:" in script-src: "strict-dynamic" file

I tried to change the title of the content security policy in the meta tag, but that didn't work.

I tried with all of this:

<meta http-equiv="Content-Security-Policy" content="default-src 'none'; img-src 'self'; script-src 'self' apis.google.com; style-src 'self';">

<meta http-equiv="Content-Security-Policy" content="default-src 'self' apis.google.com">

<meta http-equiv="Content-Security-Policy" content="script-src 'self' 'unsafe-eval' https://*.google.com; object-src 'self' 'unsafe-eval'"> 

<meta http-equiv="Content-Security-Policy" content="script-src 'self' 'unsafe-eval' apis.google.com;">
+18
2

CSP HTML, HTTP . ?

- , HTTP , .

+2

, , , , .

. , , , . Firefox , .

Mozilla, Google CSP1 CSP3 "-". , " ", CSP1, , " ", CSP1. . , .

0

Source: https://habr.com/ru/post/1693002/

More articles:


All Articles