When i try authenticate, the redirect URL for it has a response 400:
api.twitter.com/oauth2/token?oauth_token=xxxxxxxxxxxxxxxxxxxxxx:1 GET https://api.twitter.com/oauth2/token?oauth_token=xxxxxxxxxxxxxxxxxxxxxx 400 () /oauth2/token?oauth_token=xxxxxxxxxxxxxxxxxxxxxx:1 Refused to apply inline style because it violates the following Content Security Policy directive: "style-src https://abs.twimg.com https://abs-0.twimg.com". Either the 'unsafe-inline' keyword, a hash ('sha256-4Su6mBWzEIFnH4pAGMOuaeBrstwJN4Z3pq/s1Kn4/KQ='), or a nonce ('nonce-...') is required to enable inline execution.
In my page "connect twitter" has a meta CSP:
<meta http-equiv="Content-Security-Policy" content="default-src *;
style-src 'self' http://* https://* 'unsafe-inline'; script-src 'self'
http://* 'unsafe-inline' 'unsafe-eval'; img-src * data:" />
Whats going wrong?
That's complaining about Twitter's CSP directive and not your own.
You can see their directive here, and it contains the following:
style-src https://abs.twimg.com https://abs-0.twimg.com
Which directly matches the error message.
Why Twitter are apparently blocking their own api call I don't know.
Btw on a separate note I think your syntax is wrong as don't think https://* is allowed, and it should be:
<meta http-equiv="Content-Security-Policy" content="default-src *; style-src 'self' http: https: 'unsafe-inline'; script-src 'self' http: 'unsafe-inline' 'unsafe-eval'; img-src * data:" />