javascript - Content security policy including a script

Question

I need to include this script https://apis.google.com/js/api:client.js in my website. On Google Chrome it works fine, but on Firefox (and IE obviously), I get some errors:

Content Security Policy: Ignoring “‘unsafe-inline’” within script-src: ‘strict-dynamic’ specified
Content Security Policy: Ignoring “https:” within script-src: ‘strict-dynamic’ specified
Content Security Policy: Ignoring “http:” within script-src: ‘strict-dynamic’ specified

I tried to change the content security policy header in a meta tag but it didn't work.

I tried with all of these:

<meta http-equiv="Content-Security-Policy" content="default-src 'none'; img-src 'self'; script-src 'self' apis.google.com; style-src 'self';">
<meta http-equiv="Content-Security-Policy" content="default-src 'self' apis.google.com">
<meta http-equiv="Content-Security-Policy" content="script-src 'self' 'unsafe-eval' https://*.google.com; object-src 'self' 'unsafe-eval'"> 
<meta http-equiv="Content-Security-Policy" content="script-src 'self' 'unsafe-eval' apis.google.com;">

question from:https://stackoverflow.com/questions/48551787/content-security-policy-including-a-script

Answer 1

I know this question is a year old, but it's still one of the first things to come up when searching for this problem, and as yet doesn't have the correct answer.

I understand. I'm one of those people who likes to see a pristine console in production, so stuff like this drives me nuts, but there's actually nothing we can do about it. Firefox is reporting warnings out to the console when it shouldn't.

Both Mozilla and Google recommend including fallback CSP1 policies along with CSP3's 'strict-dynamic'. Browsers that understand 'strict-dynamic' should ignore the CSP1 policies, and browsers that don't should ignore the unrecognized 'strict-dynamic' and follow the CSP1 policies. The operative word is ignore. Truly ignoring includes not announcing you're ignoring.