how to add Content Security Policy (CSP)

0
votes

I want to access a website using javascript. but I am getting the following error in the console.

Refused to connect to 'https://example.com' because it violates the following Content Security Policy directive: "default-src 'self'". Note that 'connect-src' was not explicitly set, so 'default-src' is used as a fallback.

I have added the following meta tag in the index.html,

meta http-equiv="Content-Security-Policy" content="connect-src 'self' http://example.com;" />

Isn't this the right way to add CSP? please help.

1
javascripthttpcontent-security-policy

1 Answers

1
votes

You already have one CSP published with the default-src 'self' policy. Quite possible it was done via HTTP header.
Check the Helmet middleware settings in case of NodeJS server, or Header set in the .htaccess file in case on Apache server. In case of Nginx it can be add_header in the config.

By adding <meta> tag you just publish a second CSP, which does not overrides the first one. 2 CSPs works subsequently - all sources should pass both CSP.

Figure out where CSP is publushed and add connect-src 'self' http://example.com; there.