Content security policy including a script

Question

I need to include this script https://apis.google.com/js/api:client.js in my website. On Google Chrome it works fine, but on Firefox (and IE obviously), I g

Answer 1

I know this question is a year old, but it's still one of the first things to come up when searching for this problem, and as yet doesn't have the correct answer.

I understand. I'm one of those people who likes to see a pristine console in production, so stuff like this drives me nuts, but there's actually nothing we can do about it. Firefox is reporting warnings out to the console when it shouldn't.

Both Mozilla and Google recommend including fallback CSP1 policies along with CSP3's 'strict-dynamic'. Browsers that understand 'strict-dynamic' should ignore the CSP1 policies, and browsers that don't should ignore the unrecognized 'strict-dynamic' and follow the CSP1 policies. The operative word is ignore. Truly ignoring includes not announcing you're ignoring.

Answer 2

You have to edit the CSP headers not on the HTML, but on the server HTTP headers, do you have control of the server?

Meta tags and such will be ignored because the HTTP Headers take precedence, fix those first.