Trouble with content security policy

So i have been trying to use a google programmable search engine script, but i am having trouble with the meta tag. The meta tag that i have included in my is as follows:

<meta http-equiv="Content-Security-Policy" content="script-src *.google.com 'self';">

However, i am still getting an error telling me it refused to load the script because it violates the "content-security-policy directive: "script-src 'self'""

I am wondering whether it inherits some sort of settings from somewhere else, as it doesn't accept the new script-src i am setting, however it does accept the new script-src if i set it to 'none'.

By the way, I am very new to html, so i might be making some obvious mistake.


Solution 1:

Looks like you have 2 Content-Security-Policy issued. If multiple CSPs the strictest rules from both will apply (all sources/tokens should pass via both CSPs unscratched).

Content Security Policy could be delivered 2 ways:

  • via HTTP header Content-Security-Policy: (prefereed)
  • via meta-tag (restricted possibilities)

So you need to check for double <meta http-equiv="Content-Security-Policy" in the HTML code.

And check the HTTP response headers(because CMS could publush CSP by default) in the browser developers tool (Crtl+Shift+i in Chrome and Crtl+Shift+k in Fifrefox -> Network tab -> select main page at the left window and look Response headers): response headers in the browser console