I am implementing an accessibility solution for a secure website which has the following meta header:
<meta http-equiv="Content-Security-Policy" content="default-src *; child-src 'none'; object-src 'none';img-src 'self' data:;style-src 'self' 'unsafe-inline'">
There is also a script tag which is responsible for the injection of my solution code (written in javascript) and it contains the following function:
fix.ReadXml = function () {
$.getScript(this.path, function () {
// Some callback code...
}); };
The path is being set correctly, that I can guarantee. This is the first ajax call in my script execution logic and the script file being called is loaded, however the callback function is not being triggered and the execution chain breaks here, with no error codes in chrome console whatsoever.
When the developer removes his XSS meta tag the script execution proceeds correctly and my solution is loading normally. So, can anyone please give me an explanation why this might happen. Unfortunately, the meta tag is a part of the website's security policy and cannot be removed. Is there anything I should add to my code in order for the callback to trigger whenever the meta tag is present?
Thanks in advance.
When Content-security-policy is loaded it disables inline scirpt and some javascript functions. The browsers developer console will tell you what caused the problem. My guess is that you are either loading scripts from an external domain (the current meta policy only allows same domain) or that getscript is using eval internally (and CSP disables eval). There is no easy fix. Either change the policy (override with header) or you will have to do things in a different way.