Content Security Policy: "Img-Src 'self' Data:"

Content Security Policy: img-src 'self' data:

Try replacing this part:

img-src * 'self' data: https:;

So the complete tag:

<meta http-equiv="Content-Security-Policy" content="default-src *;
   img-src * 'self' data: https:; script-src 'self' 'unsafe-inline' 'unsafe-eval' *;
   style-src  'self' 'unsafe-inline' *">

Content Security Policy Reference

Configuration of Content Security Policy to retrieve images from remote URL and local

You have a little typo here https//example.com should be https://example.com or with a wildcard *.example.com

<meta http-equiv="Content-Security-Policy" content="default-src *;
    script-src 'self' 'unsafe-eval' 'unsafe-inline';
    img-src *.example.com 'self';
    style-src 'self' 'unsafe-inline';">

Refused to load the image 'blob:...' because it violates the following Content Security Policy

This is the fix for both image and base64.

Need to add img-src 'self' blob: data:; As follow:

<meta http-equiv="Content-Security-Policy" 
    content="
      worker-src blob:; 
      child-src blob: gap:;
      img-src 'self' blob: data:;
      default-src * 'self' 'unsafe-inline' 'unsafe-eval' data: gap: content:">

Content Security Policy - data:image/svg+xml is ignored in img-src

Your example CSP is invalid. According to MDN Documentation you should use only hosts, schemas or other constant values. After correction, you example should look like:

img-src 'self' https://stats.g.doubleclick.net/ https://www.facebook.com/ https://www.google-analytics.com/ data:;


---

Related Topics