Content Security Policy Firebase

Question

I have a problem with CSP and Firebase. In my index.html I've included the following:

<meta http-equiv="Content-Security-Policy"
    content="style-src 'self'; script-src 'self' https://cdn.firebase.com https://www.gstatic.com;">

These scripts are loaded from other domain:

https://www.gstatic.com/firebasejs/4.0.0/firebase.js
https://cdn.firebase.com/libs/angularfire/2.3.0/angularfire.min.js

I'm still getting some errors in the console.

Content Security Policy: The page's settings blocked the loading of a resource at self ("script-src http://server https://cdn.firebase.com https://www.gstatic.com"). Source: call to eval() or related function blocked by CSP.

Content Security Policy: The page's settings blocked the loading of a resource at self ("style-src http://server"). Source: @charset "UTF-8";[ng:cloak],[ng-cloak],....

Can you help please?

It's weird but when I opened it in Chrome the console is empty and everything is working. Something with Firefox? — 0741008

Serdar AGLAMIS Serdar AGLAMIS · Accepted Answer · 2017-06-09T11:36:36

I faced same issue in Ionic and i added 'unsafe-inline' 'unsafe-eval' to script-src in additional to linsk. Its worked for me. If we make example for your request:

<meta http-equiv="Content-Security-Policy"content="style-src 'self'; script-src 'self' 'unsafe-eval' 'unsafe-inline' https://cdn.firebase.com https://www.gstatic.com;">

Content Security Policy Firebase

1 Answers