问题
I am getting an error as captured in the screenshot below:
It reads:
Refused to evaluate a string as JavaScript because 'unsafe-eval' is not an allowed source of script in the following Content Security Policy directive: "default-src file: data: chrome-extension: https://ssl.gstatic.com". Note that 'script-src' was not explicitly set, so 'default-src' is used as a fallback.
What am I doing wrong and how can I resolve the Content-Security-Policy error?
Below is my meta-tag in, in my index.html:
<meta http-equiv="Content-Security-Policy"
content="default-src * 'self' 'unsafe-eval' 'unsafe-inline'
data: ssl.gstatic.com https://ssl.gstatic.com;
style-src * 'self' 'unsafe-inline'
chrome-extension: ssl.gstatic.com;
script-src * 'unsafe-inline' 'unsafe-eval' 'self'
chrome-extension: file: data: http: https: ssl.gstatic.com
https://ssl.gstatic.com">
I'm using CCA with Onsen UI.
回答1:
Your question is tagged as a Google Chrome App question.
Chrome Apps are subject to a very specific CSP and cannot override it.
default-src 'self';
connect-src *;
style-src 'self' data: chrome-extension-resource: 'unsafe-inline';
img-src 'self' data: chrome-extension-resource:;
frame-src 'self' data: chrome-extension-resource:;
font-src 'self' data: chrome-extension-resource:;
media-src *;
Your Chrome App can only refer to scripts and objects within your app, with the exception of media files (apps can refer to video and audio outside the package). Chrome extensions will let you relax the default Content Security Policy; Chrome Apps won’t.
The documentation then proceeds to have a helpful "How do I.." section. Take a look at it and see what fits your needs.
来源:https://stackoverflow.com/questions/31149395/content-security-policy-error-https-ssl-gstatic-com