I'm trying to embed a twitch.tv player in my webpage but I keep getting:
Content Security Policy: The page’s settings blocked the loading of a resource at https://player.twitch.tv/?channel=bluebeast8888&parent=http://blue.requiem.moe (“default-src”).
My current header settings:
header("Content-Security-Policy: default-src 'self' *.twitch.tv; script-src 'self' 'unsafe-inline' 'unsafe-eval'; object-src 'none'; style-src 'self' 'unsafe-inline'; media-src *; frame-src 'unsafe-inline' 'unsafe-eval' *.twitch.tv;");
My current meta tag:
<meta http-equiv="Content-Security-Policy" content="default-src 'self' player.twitch.tv; style-src 'self' 'unsafe-inline'; script-src 'self' 'unsafe-inline' 'unsafe-eval' *.twitch.tv">
What am I doing wrong?
My Answer:
It looks like you have specified the domain player.twitch.tv in your meta tag but not in your header settings. Make sure to include player.twitch.tv in both your header and meta tag settings for the Content Security Policy. Additionally, make sure to remove the 'unsafe-inline' and 'unsafe-eval' directives from your script-src and frame-src settings as they can pose security risks. Your updated header and meta tag settings should look like this:
Header:
header("Content-Security-Policy: default-src 'self' player.twitch.tv; script-src 'self'; object-src 'none'; style-src 'self' 'unsafe-inline'; media-src *; frame-src player.twitch.tv;");
Meta tag:
Rate this post
5 of 5 based on 2911 votesComments