I found that cobalt can only open Youtube page, and can NOT open URLs without Content-Security-Policy setting in the response data or in the html page(eg <meta http-equiv="Content-Security-Policy" content="object-src 'none'; script-src 'self' 'unsafe-eval' 'unsafe-inline'">), so is there any CSP config to support that URLs without Content-Security-Policy setting can also be opened?
The Content Security Policy spec: https://www.w3.org/TR/CSP2/
This is an intentional security feature, because Cobalt is aimed at running applications, not general web browsing. It can be disabled with the command line switch --csp_mode=disable, but this is disabled in gold builds.
The CSP itself only applies to the page associated with the policy. Once you navigate to another page, as long as the navigation is allowed by the current page's policy, the policy will be thrown out and replaced with the next page's policy. But there is no way to use CSP to disable the CSP requirement enforcement.