Content Security Policy (CSP) still not work for "default-src * 'unsafe-inline' 'unsafe-eval'"

Asked Aug 17 '21 at 08:55

Active Aug 17 '21 at 08:55

Viewed 53 times

I follow the instructions to set CSP to allow everything in .htaccess as below:

Header Set Content-Security-Policy "default-src * 'unsafe-inline' 'unsafe-eval'"

However, after that, when visiting my website, I still get 28 errors, as below:

28Refused to load the image '<URL>' because it violates the following Content Security Policy directive: "default-src * 'unsafe-inline' 'unsafe-eval'". Note that 'img-src' was not explicitly set, so 'default-src' is used as a fallback.

And below is a screenshot:

Why?

asked Aug 17 '21 at 08:55

alancc

That's because `data:`-Urls are not covered by `*`. Use `default-src * data: 'unsafe-inline' 'unsafe-eval'`, which is almost equivalent to no CSP. – granty Aug 17 '21 at 13:48

Content Security Policy (CSP) still not work for "default-src * 'unsafe-inline' 'unsafe-eval'"

0 Answers0