Adding the meta tag to ignore this policy was not helping us, because our webserver was injecting the Content-Security-Policy
header in the response.
In our case we are using Ngnix as the web server for a Tomcat 9 Java-based application. From the web server, it is directing the browser not to allow inline scripts
, so for a temporary testing we have turned off Content-Security-Policy
by commenting.
How to turn it off in ngnix
By default, ngnix ssl.conf file will have this adding a header to the response:
#> grep 'Content-Security' -ir /etc/nginx/global/ssl.conf add_header Content-Security-Policy "default-src 'none'; frame-ancestors 'none'; script-src 'self'; img-src 'self'; style-src 'self'; base-uri 'self'; form-action 'self';";
If you just comment this line and restart ngnix, it should not be adding the header to the response.
If you are concerned about security or in production please do not follow this, use these steps as only for testing purpose and moving on.