0

I am hosting a webpage using apache but it looks like apache(v2.4.48) is inserting content security policy that blocks loading of chart.js file. The webpage is very simple and uses chart.js from cdn link(https://cdn.jsdelivr.net/npm/chart.js). I get error from firefox which says: Content Security Policy: The page’s settings blocked the loading of a resource at https://cdn.jsdelivr.net/npm/chart.js (“script-src”).

The html code is below.

<!DOCTYPE html>
<html lang="en">
<head>
  <meta charset="UTF-8"> 
  <script src="https://cdn.jsdelivr.net/npm/chart.js"></script>
  <script src="sketch.js"></script>
  <meta http-equiv="X-UA-Compatible" content="IE=edge">
  <meta name="viewport" content="width=device-width, initial-scale=1.0">
  <title>Document</title>
</head>
<body>
  
</body>
</html>

The error says "Page Setting" but I do not have any CPS setting applied on the page, it is a simple webpage that uses external javascript file. What I tried are as follows:

  1. I downloaded and put the chart.js file in the local folder and there is no CSP error(obviously).

  2. I tried the solution posted in How does Content Security Policy (CSP) work? I tried the suggestion with the meta tag for CSP as follows: <meta http-equiv="Content-Security-Policy" content="default-src 'self' https://cdn.jsdelivr.net/npm/"> But this did not work.

  3. I tried to put CSP in apache http.conf and httpd-vhosts.conf as follows. a. In http.conf file I tried:

LoadModule headers_module modules/mod_headers.so

    <IfModule headers_module>
    RequestHeader unset Proxy early
    Header set Content-Security-Policy "script-src 'self' cdn.jsdelivr.net;"
    Header set Access-Control-Allow-Origin "*"
</IfModule>

b. In httpd-vhosts.conf file I tried:

<VirtualHost *:80>
    DocumentRoot "C:/xampp/htdocs/mypage"
    ServerName domain.name
    ServerAlias www.domain.name
    <IfModule headers_module>
    Header set Content-Security-Policy "script-src 'self' cdn.jsdelivr.net;"
    Header set Access-Control-Allow-Origin "*"
    </IfModule>
</VirtualHost>

None of the above worked. I do not think it is from the domain registrar side. So I think I is related to the apache server. How can I get rid of CSP to load the javascript file from external link?

ee-diary
  • 61
  • 6

0 Answers0