i have tried many ways of loading google maps and firebaseio without success: this is what i have now:

<meta http-equiv="Content-Security-Policy" content="default-src 'self' data: gap: ;
  script-src 'self' /* 'unsafe-inline' 'unsafe-eval';
  style-src 'self' 'unsafe-inline';">

and i get:

Refused to load the script '' because it violates the following Content Security Policy directive: "script-src 'self' /* 'unsafe-inline' 'unsafe-eval'".

Refused to load the script '/.lp?start=t&ser=79549912&cb=1&v=5' because it violates the following Content Security Policy directive: "script-src 'self' /* 'unsafe-inline' 'unsafe-eval'".

any ideas what am i doing wrong?

i have tried many ways of loading google maps and firebaseio without success: this is what i have now:

<meta http-equiv="Content-Security-Policy" content="default-src 'self' data: gap: https://ssl.gstatic.com;
  script-src 'self' https://maps.googleapis.com/* 'unsafe-inline' 'unsafe-eval';
  style-src 'self' 'unsafe-inline';">

and i get:

Refused to load the script 'https://maps.googleapis.com/maps/api/js?libraries=places' because it violates the following Content Security Policy directive: "script-src 'self' https://maps.googleapis.com/* 'unsafe-inline' 'unsafe-eval'".

Refused to load the script 'https://test.firebaseio.com/.lp?start=t&ser=79549912&cb=1&v=5' because it violates the following Content Security Policy directive: "script-src 'self' https://maps.googleapis.com/* 'unsafe-inline' 'unsafe-eval'".

any ideas what am i doing wrong?

• javascript
• google-maps
• firebase
• phonegap-plugins
• content-security-policy

Share Improve this question Follow asked Jul 11, 2015 at 7:36 PatrioticcowPatrioticcow 27k7676 gold badges220220 silver badges339339 bronze badges 3

• tried 'https://maps.googleapis.com/*' rather than https://maps.googleapis.com/* – Sushant Commented Jul 11, 2015 at 7:38
• @Sushant, nope. i get The source list for Content Security Policy directive 'script-src' contains an invalid source: ''https://maps.googleapis.com/*''. It will be ignored. – Patrioticcow Commented Jul 11, 2015 at 7:42
• fwiw scheme://host/* isn't a valid CSP pattern. https://maps.googleapis.com is what you're trying to accomplish. – oreoshake Commented Sep 3, 2015 at 18:36

Add a comment  | 

2 Answers 2

Sorted by: Reset to default 20

this did the trick :)

<meta http-equiv="Content-Security-Policy"
          content="default-src *;
               script-src 'self' 'unsafe-inline' 'unsafe-eval'
                           127.0.0.1:*
                           http://*.google.com
                           http://*.gstatic.com
                           http://*.googleapis.com
                           http://*.firebaseio.com
                           https://*.google.com
                           https://*.gstatic.com
                           https://*.googleapis.com
                           https://*.firebaseio.com
                           ;
               style-src  'self' 'unsafe-inline'
                          127.0.0.1
                           http://*.google.com
                           http://*.gstatic.com
                           http://*.googleapis.com
                           http://*.firebaseio.com
                           https://*.google.com
                           https://*.gstatic.com
                           https://*.googleapis.com
                           https://*.firebaseio.com
">

and the google script <script src="https://maps-api-ssl.google.com/maps/api/js?libraries=places"></script>

for development without any restrictions use:

<meta http-equiv="Content-Security-Policy" 
      content="default-src * 'unsafe-eval' 'unsafe-inline'">