Content-Security-Policy error https://ssl.gstatic.com

Question

I am getting an error as captured in the screenshot below:

It reads:

Refused to evaluate a string as JavaScript because 'unsafe-eval' is not an allowed source of script in the following Content Security Policy directive: "default-src file: data: chrome-extension: https://ssl.gstatic.com". Note that 'script-src' was not explicitly set, so 'default-src' is used as a fallback.

What am I doing wrong and how can I resolve the Content-Security-Policy error?

Below is my meta-tag in, in my index.html:

<meta http-equiv="Content-Security-Policy" 
    content="default-src * 'self' 'unsafe-eval' 'unsafe-inline' 
    data: ssl.gstatic.com https://ssl.gstatic.com; 
    style-src * 'self' 'unsafe-inline' 
    chrome-extension: ssl.gstatic.com; 
    script-src * 'unsafe-inline' 'unsafe-eval' 'self' 
    chrome-extension: file: data: http: https: ssl.gstatic.com
 https://ssl.gstatic.com">

I'm using CCA with Onsen UI.

which platform are you using? WP? have you tried using ng-csp? — Andi Pavllo

Xan Xan · Accepted Answer · 2015-07-01T10:02:17

Your question is tagged as a Google Chrome App question.

Chrome Apps are subject to a very specific CSP and cannot override it.

default-src 'self';
connect-src *;
style-src 'self' data: chrome-extension-resource: 'unsafe-inline';
img-src 'self' data: chrome-extension-resource:;
frame-src 'self' data: chrome-extension-resource:;
font-src 'self' data: chrome-extension-resource:;
media-src *;

Your Chrome App can only refer to scripts and objects within your app, with the exception of media files (apps can refer to video and audio outside the package). Chrome extensions will let you relax the default Content Security Policy; Chrome Apps won’t.

The documentation then proceeds to have a helpful "How do I.." section. Take a look at it and see what fits your needs.

Content-Security-Policy error https://ssl.gstatic.com

1 Answers