6

I am getting the following error on my page:

Refused to load the script 'http://127.0.0.1:35729/livereload.js' because it violates the following Content Security Policy directive: "script-src https: 'unsafe-inline' 'unsafe-eval'".

HTML

<meta http-equiv="Content-Security-Policy" content="default-src * 'unsafe-inline'; style-src * 'unsafe-inline'; script-src * 'unsafe-inline' 'unsafe-eval'; img-src * data: 'unsafe-inline'; connect-src * 'unsafe-inline'; frame-src *;">
 </head>
 <body>
    <script src="http://127.0.0.1:35729/livereload.js"></script>

I have tried to use a completely open just to get it working and then work backwards, however I even get the same error with this.

To be clear, this isn't for producition code, this is just to enable my live-reload-webpack on a domain that is using https.

Jamie Hutber
  • 26,790
  • 46
  • 179
  • 291

1 Answers1

7

You can use localhost:, though I believe using 'self' (including the single quotes) would also suffice in this situation. There are some odd cases where * is not actually all-inclusive (blob: for example is also excluded from * I believe).

As always it's good to check out your CSP with Google's Evaluator first.

Jasper de Vries
  • 19,370
  • 6
  • 64
  • 102
Ben Brocka
  • 2,006
  • 4
  • 34
  • 53