Question posted in 
my server (my.server.com) produces a HTML page that call another service (external.server.com) for load data.
For the ajax call i’m using jquery.
$.ajax({
url:"https://external.server.com/check",
dataType: 'get',
success:function(json){
// do stuff with json (in this case an array)
$("userContainer").append(json);
},
error:function(){
alert("Error");
}
});
When i’m trying to call the service i receive a browser error:
Refused to connect to 'https://external.server.com/check' because it violates the following Content Security Policy directive: "default-src 'self'"
In my HTML page i’m loading javascript resources like that:
<script src="webjars/jquery/1.9.1/jquery.min.js"></script>
<script src="js/custom.js"></script>
And my CSP Header configuration is:
<meta http-equiv="Content-Security-Policy" content="default-src my.server.com; script-src 'unsafe-inline' my.server.com; connect-src external.server.com">
<meta http-equiv="X-Content-Security-Policy" content="default-src my.server.com; script-src 'unsafe-inline' my.server.com; connect-src external.server.com">
<meta http-equiv="X-Content-Security-Policy" content="default-src my.server.com; script-src 'unsafe-inline' my.server.com; connect-src external.server.com">
<meta http-equiv="Access-Control-Allow-Origin" content="*">
What am I doing wrong?
Thanks
2
Answers
use “default-src *”
you can follow the below link its’s may be helpful for you.
click here
You have to use the connect-src policy not the content, as You can see the error is because it refuses to CONNECT, to solve that add:
Make sure you add the full URL including http://….etc
For more information go to https://content-security-policy.com/connect-src/