Content Security Policies (CSPs) are meant to add security to websites and web apps from malicious scripting attacks. These type of attacks include Cross-Site Scripting (XSS) and data injection attacks.
In my case, the project I was working on had been relying on the Resource Override Chrome extension to developer CSS and JS against a remote environment. This worked fine, until the backend team changed the server’s global setting of the CSP.
The Content-Security-Policy is a HTTP response header. However, it can also be applied as a meta tag. For the purpose of the issue at hand on my project, the meta tag is exactly how it was being applied, and where I had to affect this.
I did not have access to the remote server, so there was not a way for me to change this setting.
Instead, I set up a local instance of the site. There, I was able to remove the meta tag completely and therefore loosen the CSP policy, allowing my RO assets to be used. I removed the following line:
<meta http-equiv="Content-Security-Policy" content="default-src 'self'">
Leave a Reply