Trouble with content security policy
So i have been trying to use a google programmable search engine script, but i am having trouble with the meta tag. The meta tag that i have included in my is as follows:
<meta http-equiv="Content-Security-Policy" content="script-src *.google.com 'self';">
However, i am still getting an error telling me it refused to load the script because it violates the "content-security-policy directive: "script-src 'self'""
I am wondering whether it inherits some sort of settings from somewhere else, as it doesn't accept the new script-src i am setting, however it does accept the new script-src if i set it to 'none'.
By the way, I am very new to html, so i might be making some obvious mistake.
Solution 1:
Looks like you have 2 Content-Security-Policy issued. If multiple CSPs the strictest rules from both will apply (all sources/tokens should pass via both CSPs unscratched).
Content Security Policy could be delivered 2 ways:
- via HTTP header
Content-Security-Policy:
(prefereed) - via meta-tag (restricted possibilities)
So you need to check for double <meta http-equiv="Content-Security-Policy"
in the HTML code.
And check the HTTP response headers(because CMS could publush CSP by default) in the browser developers tool (Crtl+Shift+i in Chrome and Crtl+Shift+k in Fifrefox -> Network tab -> select main page at the left window and look Response headers):