47

I need to include this script https://apis.google.com/js/api:client.js in my website. On Google Chrome it works fine, but on Firefox (and IE obviously), I get some errors:

Content Security Policy: Ignoring “‘unsafe-inline’” within script-src: ‘strict-dynamic’ specified
Content Security Policy: Ignoring “https:” within script-src: ‘strict-dynamic’ specified
Content Security Policy: Ignoring “http:” within script-src: ‘strict-dynamic’ specified

I tried to change the content security policy header in a meta tag but it didn't work.

I tried with all of these:

<meta http-equiv="Content-Security-Policy" content="default-src 'none'; img-src 'self'; script-src 'self' apis.google.com; style-src 'self';">
<meta http-equiv="Content-Security-Policy" content="default-src 'self' apis.google.com">
<meta http-equiv="Content-Security-Policy" content="script-src 'self' 'unsafe-eval' https://*.google.com; object-src 'self' 'unsafe-eval'"> 
<meta http-equiv="Content-Security-Policy" content="script-src 'self' 'unsafe-eval' apis.google.com;">
Improve this question
11
  • Can you share the CSP header you currently configured?
    – Nico Haase
    Commented Jan 31, 2018 at 21:46
  • I tried with all of these: <meta http-equiv="Content-Security-Policy" content="default-src 'none'; img-src 'self'; script-src 'self' apis.google.com; style-src 'self';"> <meta http-equiv="Content-Security-Policy" content="default-src 'self' apis.google.com"> <meta http-equiv="Content-Security-Policy" content="script-src 'self' 'unsafe-eval' https://*.google.com; object-src 'self' 'unsafe-eval'"> <meta http-equiv="Content-Security-Policy" content="script-src 'self' 'unsafe-eval' apis.google.com;">
    – Mattia Billa
    Commented Feb 1, 2018 at 7:04
  • I also tried to copy directly the code into a script tag but it didn't work too.
    – Mattia Billa
    Commented Feb 1, 2018 at 7:16
  • 2
    I had very similar problem (this script was working on chrome, but not at the firefox). I got the same message in console, but solution was related with one of my addons in firefox (ghostery). After disabled addons, everything started works.
    – Mariusz
    Commented Feb 18, 2018 at 14:36
  • 4
    Hi. Did you find a solution to this. I am getting the exact same warnings in Firefox/Edge when embedding Disqus on my site
    – Drenai
    Commented Mar 19, 2018 at 13:54

2 Answers 2

Reset to default
42

I know this question is a year old, but it's still one of the first things to come up when searching for this problem, and as yet doesn't have the correct answer.

I understand. I'm one of those people who likes to see a pristine console in production, so stuff like this drives me nuts, but there's actually nothing we can do about it. Firefox is reporting warnings out to the console when it shouldn't.

Both Mozilla and Google recommend including fallback CSP1 policies along with CSP3's 'strict-dynamic'. Browsers that understand 'strict-dynamic' should ignore the CSP1 policies, and browsers that don't should ignore the unrecognized 'strict-dynamic' and follow the CSP1 policies. The operative word is ignore. Truly ignoring includes not announcing you're ignoring.

Improve this answer
1
3

You have to edit the CSP headers not on the HTML, but on the server HTTP headers, do you have control of the server?

Meta tags and such will be ignored because the HTTP Headers take precedence, fix those first.

Improve this answer
2
  • 3
    Old question (and answers) but still a problem... I sincerely doubt he has control of the server he specified in the question: apis.google.com :)
    – HeyHeyJC
    Commented Mar 25, 2020 at 2:53
  • There is not much anyone can do, if you're just very interested in changing the website for yourself, you would need to use some sort of proxy, and edit out/in the headers that you want.
    – Rainb
    Commented Mar 25, 2020 at 5:43

Not the answer you're looking for? Browse other questions tagged or ask your own question.