I am working on a twitch extension and I have created an API externally for the app to connect to. I've had this error now for roughly two days and I can't seem to find a solution to it.
Refused to connect to 'https://community.shadowmont.com/oauth/GetUserProfileDetails' because it violates the following Content Security Policy directive: "connect-src 'self' https://lgqt8zmxwk4v3ubxobrmy8r2f49uc1.ext-twitch.tv https://api.twitch.tv wss://pubsub-edge.twitch.tv https://www.google-analytics.com https://stats.g.doubleclick.net".
The front end is JavaScript / HTML and it's trying to connect to an MVC5 API. I've Googled around for the answer and most posts say to add a meta-tag to the header, but no matter what I try, this does not solve the issue. I'm at a point now where I am not sure what to do.
One of the posts I found told me to add
<meta http-equiv="Content-Security-Policy" content="img-src 'self' data:; default-src 'self' http://XX.XX.XX.XX:8084/mypp/">
But this didn't work.
You need to add any External Domains you connect to in the "Allowlist for URL Fetching Domains" in the Dev Console for your Extension. The same goes for External Media or Images.
Extensions utilise a CSP or Content Security Policy to control/limit/protect Extensions from connecting to unexpected things.
Twitch DOES NOT support the meta tag version of this, as it is less secure. It is overriden/set by the Twitch Extensions CDN Server Headers for security reasons.
To populate these parameters,
Allowlist for URL Fetching Domains at the bottom.Add in the URL's as needed.
Further reading
For testing under local test there is this NodeJS Module which you can use as is or copy the relevant logic into your own local test system which will save you having to jump to hosted test/local test too much.