So I've been trying to set up a website using Bitbucket Pages. I've pushed all the files to a repository I created xxxx.bitbucket.io. I can access web pages there through the browser. But I get this weird error in the chrome console if the html file loads any javascript files:
"[Report Only] Refused to load the script 'xxxx' because it violates the following Content Security Policy directive: "script-src 'unsafe-eval' 'strict-dynamic' 'unsafe-inline' 'self' http: https: https://d301sr5gafysq2.cloudfront.net". 'strict-dynamic' is present, so host-based whitelisting is disabled. Note that 'script-src-elem' was not explicitly set, so 'script-src' is used as a fallback."
I have script tags in the header of my document like so:
<script src="jquery-3.4.1.min.js"></script>
<script src="jquery.csv.js"></script>
<script src="https://www.gstatic.com/firebasejs/6.6.1/firebase-app.js"></script>
I have looked it up and found that this is to do with CSP. So how do I sort this out? I tried adding this meta tag:
<meta http-equiv="Content-Security-Policy" content="default-src 'self'; script-src 'self' 'unsafe-inline'">
But this didn't work. I thought that if I omitted 'strict-dynamic' in the script-src directive that it would work. Is it not working because there are directives somewhere in a place that I cannot edit that clash with the ones in the meta tag? If so, how do I change these? CSP seems to be a rather complex and unintuitive topic I've tried to get my head around and I'm very confused. It seems that Bitbucket has some kind of policy in place that I cannot change. But I just need these scripts working. How do I do this?
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.