I have been having problems with scripts not getting loaded because of problems with content security policy settings and was wondering if there was a way to set a content security policy so that it lets all websites be accessible for downloading scripts?
Asked
Active
Viewed 4,275 times
1
-
1That defeats most of the point of the policy. What problem are you having? – SLaks Nov 27 '15 at 19:44
-
Yes I agree it is not a good idea but it would help me make progress until I can sort out why I can't access the google maps api script no matter what content security policy I try. – Bill Noble Nov 27 '15 at 20:55
-
What errors do you get? – SLaks Nov 27 '15 at 20:56
-
http://stackoverflow.com/q/13228825/34397 – SLaks Nov 27 '15 at 20:57
-
I tried those suggestions but none worked for me. Hence the question about turning off content security. – Bill Noble Nov 27 '15 at 21:02
-
Why not? What errors do you get? – SLaks Nov 28 '15 at 23:12
1 Answers
3
If you're not sure exactly what Content Security Policy you need, it's fine to start with a policy that's very permissive, (which is at least better than no policy at all) and refine it.
For example,
Content-Security-Policy: default-src 'self'; script-src *
would allow you to include scripts from anywhere, but everything else, for example images, only from your own site.
I would also recommend you start with Content-Security-Policy-Report-Only, which reports errors but doesn't block the content. That way you can safely test and refine your policy before you enforce it.
See for example Scott Helme's blog article https://scotthelme.co.uk/content-security-policy-an-introduction/
Chris Denning
- 903
- 8
- 15