47

I need to include this script https://apis.google.com/js/api:client.js in my website. On Google Chrome it works fine, but on Firefox (and IE obviously), I get some errors:

Content Security Policy: Ignoring “‘unsafe-inline’” within script-src: ‘strict-dynamic’ specified
Content Security Policy: Ignoring “https:” within script-src: ‘strict-dynamic’ specified
Content Security Policy: Ignoring “http:” within script-src: ‘strict-dynamic’ specified

I tried to change the content security policy header in a meta tag but it didn't work.

I tried with all of these:

<meta http-equiv="Content-Security-Policy" content="default-src 'none'; img-src 'self'; script-src 'self' apis.google.com; style-src 'self';">
<meta http-equiv="Content-Security-Policy" content="default-src 'self' apis.google.com">
<meta http-equiv="Content-Security-Policy" content="script-src 'self' 'unsafe-eval' https://*.google.com; object-src 'self' 'unsafe-eval'"> 
<meta http-equiv="Content-Security-Policy" content="script-src 'self' 'unsafe-eval' apis.google.com;">
Michael
  • 8,362
  • 6
  • 61
  • 88
Mattia Billa
  • 471
  • 1
  • 4
  • 4
  • Can you share the CSP header you currently configured? – Nico Haase Jan 31 '18 at 21:46
  • I tried with all of these: – Mattia Billa Feb 01 '18 at 07:04
  • I also tried to copy directly the code into a script tag but it didn't work too. – Mattia Billa Feb 01 '18 at 07:16
  • 2
    I had very similar problem (this script was working on chrome, but not at the firefox). I got the same message in console, but solution was related with one of my addons in firefox (ghostery). After disabled addons, everything started works. – Mariusz Feb 18 '18 at 14:36
  • 4
    Hi. Did you find a solution to this. I am getting the exact same warnings in Firefox/Edge when embedding Disqus on my site – Drenai Mar 19 '18 at 13:54
  • Related thread (without a solution, as of now): https://productforums.google.com/forum/#!topic/inbox/ymJOodokX6A – Giovanni P. Apr 26 '18 at 20:45
  • “On Google Chrome it works fine but on Firefox (and IE obviously) I get some errors” — please show a minimal, complete example that will help others verify the behaviour. https://stackoverflow.com/help/mcve – bignose May 12 '18 at 09:39
  • There are additional ways you can implement a CSP, such as .htaccess or a server-side language (PHP, Node.js, Ruby etc.) if meta tags aren't working for you. You may want to consider those. – Justin R. Jun 06 '18 at 20:29
  • Where exactly in the HTML did you include those tags? Inside `head`? – Felippe Duarte Jun 06 '18 at 20:39
  • This is likely related to https://developers.google.com/youtube/v3/code_samples/javascript#retrieve-my-uploads – PearsonArtPhoto Jun 28 '18 at 02:15
  • have anyone found any solution? – Dipu Jul 29 '18 at 16:51

2 Answers2

41

I know this question is a year old, but it's still one of the first things to come up when searching for this problem, and as yet doesn't have the correct answer.

I understand. I'm one of those people who likes to see a pristine console in production, so stuff like this drives me nuts, but there's actually nothing we can do about it. Firefox is reporting warnings out to the console when it shouldn't.

Both Mozilla and Google recommend including fallback CSP1 policies along with CSP3's 'strict-dynamic'. Browsers that understand 'strict-dynamic' should ignore the CSP1 policies, and browsers that don't should ignore the unrecognized 'strict-dynamic' and follow the CSP1 policies. The operative word is ignore. Truly ignoring includes not announcing you're ignoring.

Peter Rowntree
  • 601
  • 5
  • 7
  • 2
    According to Firefox, you can just ignore it too: https://www.reddit.com/r/firefox/comments/fpptyj/firefox_content_security_policy_console_output/ – ivanleoncz Mar 27 '20 at 21:56
3

You have to edit the CSP headers not on the HTML, but on the server HTTP headers, do you have control of the server?

Meta tags and such will be ignored because the HTTP Headers take precedence, fix those first.

Rainb
  • 1,965
  • 11
  • 32
  • 3
    Old question (and answers) but still a problem... I sincerely doubt he has control of the server he specified in the question: apis.google.com :) – HeyHeyJC Mar 25 '20 at 02:53
  • There is not much anyone can do, if you're just very interested in changing the website for yourself, you would need to use some sort of proxy, and edit out/in the headers that you want. – Rainb Mar 25 '20 at 05:43