Refused to load the script because it violates the following Content Security Policy directive
The self answer given by MagngooSasa did the trick, but for anyone else trying to understand the answer, here are a few bit more details:
When developing Cordova apps with Visual Studio, I tried to import a remote JavaScript file [located here http://Guess.What.com/MyScript.js], but I have the error mentioned in the title.
Here is the meta tag before, in the index.html file of the project:
<meta http-equiv="Content-Security-Policy" content="default-src 'self' data: gap: https://ssl.gstatic.com 'unsafe-eval'; style-src 'self' 'unsafe-inline'; media-src *">Here is the corrected meta tag, to allow importing a remote script:
<meta http-equiv="Content-Security-Policy" content="default-src 'self' data: gap: https://ssl.gstatic.com 'unsafe-eval'; style-src 'self' 'unsafe-inline'; media-src *;**script-src 'self' http://onlineerp.solution.quebec 'unsafe-inline' 'unsafe-eval';** ">And no more error!
It was solved with:
script-src 'self' http://xxxx 'unsafe-inline' 'unsafe-eval';
For anyone looking for a complete explanation, I recommend you to take a look at Content Security Policy: https://www.html5rocks.com/en/tutorials/security/content-security-policy/.
"Code from https://mybank.com should only have access tohttps://mybank.com’s data, and https://evil.example.com shouldcertainly never be allowed access. Each origin is kept isolated fromthe rest of the web"
XSS attacks are based on the browser's inability to distinguish your app's code from code downloaded from another website. So you must whitelist the content origins that you consider safe to download content from, using the Content-Security-Policy HTTP header.
This policy is described using a series of policy directives, each of which describes the policy for a certain resource type or policy area. Your policy should include a default-src policy directive, which is a fallback for other resource types when they don't have policies of their own.
So, if you modify your tag to:
<meta http-equiv="Content-Security-Policy" content="default-src 'self' data: gap: https://ssl.gstatic.com 'unsafe-eval'; style-src 'self' 'unsafe-inline'; media-src *;**script-src 'self' http://onlineerp.solution.quebec 'unsafe-inline' 'unsafe-eval';** ">You are saying that you are authorizing the execution of JavaScript code (script-src)from the origins 'self', http://onlineerp.solution.quebec, 'unsafe-inline', 'unsafe-eval'.
I guess that the first two are perfectly valid for your use case, I am a bit unsure about the other ones. 'unsafe-line' and 'unsafe-eval' pose a security problem, so you should not be using them unless you have a very specific need for them:
"If eval and its text-to-JavaScript brethren are completely essentialto your application, you can enable them by adding 'unsafe-eval' as anallowed source in a script-src directive. But, again, please don’t.Banning the ability to execute strings makes it much more difficultfor an attacker to execute unauthorized code on your site." (Mike West, Google)