Content Security Policy The page s settings blocked the loading of a resource

Question

I am using CAPTCHA on page load  but it is blocking because of some security reason  I am facing this problem       Content Security Policy  The page s settings blocked the loading     of a resource at     http   www google com recaptcha api js onload myCallBack render explicit       script-src http   test com 8080  unsafe-inline   unsafe-eval      I have used the following JavaScript and meta tag   lt meta http-equiv  quot Content-Security-Policy quot  content  quot default-src    style-src  self   unsafe-inline   script-src  self   unsafe-inline   unsafe-eval  quot  gt   lt script src  quot http   www google com recaptcha api js onload myCallBack amp render explicit quot  async defer gt  lt  script gt

User · Answer

With my ASP NET Core Angular project running in Visual Studio 2019  sometimes I get this error message in the Firefox console   Content Security Policy  The page   s settings blocked the loading of a resource at inline     default-src       In Chrome  the error message is instead   Failed to load resource  the server responded with a status of 404     In my case it had nothing to do with my Content Security Policy  but instead was simply the result of a TypeScript error on my part  Check your IDE output window for a TypeScript error  like   gt  ERROR in src app shared models person model ts 8 20   error TS2304  Cannot find name  bool    gt   gt  i  wdm   Failed to compile   Note  Since this question is the first result on Google for this error message

User · Answer

You have said you can only load scripts from your own site  self   You have then tried to load a script from another site  www google com  and  because you ve restricted this  you can t  That s the whole point of Content Security Policy  CSP   You can change your first line to   lt meta http-equiv  quot Content-Security-Policy quot  content  quot default-src    style-src  self   unsafe-inline   script-src  self   unsafe-inline   unsafe-eval  http   www google com quot  gt   Or  alternatively  it may be worth removing that line completely until you find out more about CSP  Your current CSP is pretty lax anyway  allowing unsafe-inline  unsafe-eval and a default-src of     so it is probably not adding too much value  to be honest

User · Answer

I got around this by upgrading both the version of Angular that I was using  from v8 - gt  v9  and the version of TypeScript  from 3 5 3 - gt  latest

User · Answer

I had a similar error type  First  I tried to add the meta tags in the code  but it didn t work  I found out that on the nginx web server you may have a security setting that may block external code to run    Security directives server tokens off  add header X-Frame-Options SAMEORIGIN  add header X-Content-Type-Options nosniff  add header X-XSS-Protection  quot 1  mode block quot   add header Content-Security-Policy  quot default-src  self   script-src  self   unsafe-inline   unsafe-eval   https   ajax googleapis com  https   ssl google-analytics com https   assets zendesk com https   connect facebook net  img-src  self  https   ssl google-analytics com https   s-static ak facebook com https   assets zendesk com  style-src  self   unsafe-inline  https   assets zendesk com  font-src  self  https   fonts gstatic com  https   themes googleusercontent com  frame-src https   player vimeo com https   assets zendesk com https   www facebook com https   s-static ak facebook com https   tautt zendesk com  object-src  none  quot    Check the Content-Security-Policy  You may need to add the source reference

User · Answer

You can disable them in your browser  Firefox Type about config in the Firefox address bar and find security csp enable and set it to false  Chrome You can install the extension called Disable Content-Security-Policy to disable CSP

User · Answer

I managed to allow all my requisite sites with this header  header  quot Content-Security-Policy  default-src    style-src  self   unsafe-inline   font-src  self  data   script-src  self   unsafe-inline   unsafe-eval  stackexchange com quot

[javascript] Content Security Policy: The page's settings blocked the loading of a resource

Examples related to javascript

Examples related to jquery

Examples related to content-security-policy