Search Support

Content Security Policy: Ignoring “'unsafe-inline'” within script-src: ‘strict-dynamic’ specified

more options

I have specified header

header("Content-Security-Policy: default-src * 'unsafe-inline' 'unsafe-eval';");

?> Why Firefox is still showing me this errors?

Attached screenshots

Chosen solution

By any chance, do you have a Google Map embedded in that page? I ask because similar messages were mentioned in this thread:

https://www.reddit.com/r/firefox/comments/fpptyj/firefox_content_security_policy_console_output/

Read this answer in context 👍 1

All Replies (4)

more options

Do you have a script-src directive anywhere? If not, I wonder whether those messages could be coming from an add-on.

Helpful?

more options

Hello, thanks for your time! What do you mean by that? I have few <script src=...></script> in my document body. And inline js too.

And also I have <meta http-equiv="Content-Security-Policy" content="default-src * 'unsafe-inline'"> in the document's <head>

Why do I see this warnings anyway? I'd like to get rid of them.

Helpful?

more options

Chosen Solution

By any chance, do you have a Google Map embedded in that page? I ask because similar messages were mentioned in this thread:

https://www.reddit.com/r/firefox/comments/fpptyj/firefox_content_security_policy_console_output/

Helpful?

more options

Yes! Google Maps iframe. Thanks!

Helpful?

Ask a question

You must log in to your account to reply to posts. Please start a new question, if you do not have an account yet.