We Keep Coding

I have set the rule for CSP but the browser gives error with different rule of CSP

I have set my CSP in meta tag as follows:
<meta http-equiv="Content-Security-Policy" content="script-src 'self' 'unsafe-inline' cdn.jsdelivr.net unpkg.com accounts.google.com code.jquery.com 'sha256-lJMW30jo60M6VSFHAaxO+izJVqSNTP0VHJM8ChvH0mQ=';" />
But the browser give different CSP as reference of error:
Refused to execute inline script because it violates the following Content Security Policy directive: "script-src *". Either the 'unsafe-inline' keyword, a hash ('sha256-lJMW30jo60M6VSFHAaxO+izJVqSNTP0VHJM8ChvH0mQ='), or a nonce ('nonce-...') is required to enable inline execution."
Why that can be happened? Clearly i dont put the CSP as script-src *

Content Security Policy invalid characters

Chrome is returning this error on the console while defining basic csp codes:
The Content-Security-Policy directive name 'Content-Security-Policy:'
contains one or more invalid characters. Only ASCII alphanumeric
characters or dashes '-' are allowed in directive names.
This is all I have on my .htaccess file:
Header always set Content-Security-Policy "default-src 'self' script-src: 'self' 'unsafe-inline';"
Is there anything wrong you can see? Thanks

Yes, you have an error. You forgot a ";" before script-src:
Header always set Content-Security-Policy "default-src 'self'; script-src: 'self' 'unsafe-inline';"

How to fix cors on s3

I set up CORS on s3 using https://docs.aws.amazon.com/AmazonS3/latest/userguide/ManageCorsUsing.html. On my site I am using ckeditor to upload an image which sends it to s3. problem is, the POST works but GET does not. fails with
cross-origin-resource-policy
To use this resource from a different
origin, the server needs to specify a cross-origin resource policy in
the response headers:
Cross-Origin-Resource-Policy: same-site
Choose this option if the resource and the document are served from the same
site.
Cross-Origin-Resource-Policy: cross-origin
Only choose this option if an arbitrary website including this resource does not impose
a security risk.
Response from GET
Accept-Ranges: bytes
Content-Length: 90105
Content-Type: image/png
Date: Wed, 12 May 2021 16:44:33 GMT
ETag: "3524cdaa5d0975c249bb464033808244"
Last-Modified: Wed, 12 May 2021 16:44:33 GMT
Server: AmazonS3
...
x-amz-id-2: pNoskXKWXhpCbwArHgIN4kVD+oO8Pyq/3PIJAEcSJCo3hWMmHVspn2mIjfItCFAM+jUXtcN3pqY=
x-amz-request-id: 3BEE5J8RQPCXTQ93
I have the following set on apache server
Header set Content-Security-Policy "default-src 'self' *.s3.amazonaws.com *.uatdomainplus.com *.qadomainplus.com *.hci.com hci.com ; font-src *.typekit.net cdnjs.cloudflare.com fonts.gstatic.com *.hcidomain.plus *.uatdomainplus.com *.qadomainplus.com ; img-src 'self' data: *.s3.amazonaws.com; style-src 'self' 'unsafe-inline' p.typekit.net use.typekit.net cdnjs.cloudflare.com cdn.jsdelivr.net fonts.googleapis.com cdn.datatables.net; script-src 'self' 'unsafe-inline' ajax.googleapis.com cdnjs.cloudflare.com maxcdn.bootstrapcdn.com cdn.jsdelivr.net cdn.datatables.net;"
Header always set X-Content-Type-Options nosniff
Header always set Strict-Transport-Security "max-age=63072000; includeSubDomains"
Header always append X-Frame-Options SAMEORIGIN
Header set Cache-Control "no-cache, no-store, must-revalidate"
Header set Pragma "no-cache"
Header set Expires 0
### set only for webapps
Header add Access-Control-Allow-Origin "s3.amazonaws.com uatdomainplus.com qadomainplus.com hci.com typekit.net cdnjs.cloudflare.com fonts.gstatic.com hcidomain.plus uatdomainplus.com qadomainplus.com cdn.datatables.net"
Header always set Access-Control-Allow-Methods "POST,GET,OPTIONS,PUT,PATCH,DELETE"
Header always set Access-Control-Max-Age "3600"
Header always set Access-Control-Allow-Headers "Content-Type,Authorization"
Header always set Cross-Origin-Embedder-Policy: require-corp
Header always set Cross-Origin-Opener-Policy: same-origin
Header always set Cross-Origin-Resource-Policy: cross-origin

CSP Meta Tag incorrect: Blocking all fonts and JS

I followed up on a different SO answer and updated my meta tag like so:
<meta http-equiv="Content-Security-Policy" content="default-src 'self' data: gap: https://ssl.gstatic.com 'unsafe-eval'; style-src 'self' 'unsafe-inline'; media-src *; img-src 'self' data: content:; default-src 'self' 'unsafe-inline'; https://*.googleapis/*/ https://*.fontawesome.com/*/ script-src 'self' 'unsafe-eval'; object-src 'self';">
My aim was to get FontAwesome to pass a CySec findings. However, the fix broke more than it fixed:
Ignoring duplicate Content-Security-Policy directive 'default-src'.
folio.dubaiairports.ae/:9 Ignoring duplicate Content-Security-Policy directive 'default-src'.
Unrecognized Content-Security-Policy directive '<URL>'.
mySite.myCompany.co/:9 Unrecognized Content-Security-Policy directive 'https://*.googleapis/*/'.
chext_driver.js:65 Unrecognized Content-Security-Policy directive 'https://*.googleapis/*/'.
mySite.myCompany.co/:1 Refused to load the stylesheet 'https://fonts.googleapis.com/css?family=Roboto:400,500' because it violates the following Content Security Policy directive: "style-src 'self' 'unsafe-inline'". Note that 'style-src-elem' was not explicitly set, so 'style-src' is used as a fallback.
blazor.server.js:1 [2021-01-26T09:27:01.087Z] Information: Normalizing '_blazor' to 'https://mySite.myCompany.co/_blazor'.
mySite.myCompany.co/:1 Refused to load the script 'https://kit.fontawesome.com/4f9675fbb7.js' because it violates the following Content Security Policy directive: "default-src 'self' data: gap: https://ssl.gstatic.com 'unsafe-eval'". Note that 'script-src-elem' was not explicitly set, so 'default-src' is used as a fallback.
mySite.myCompany.co/:1 Refused to load the stylesheet 'https://fonts.googleapis.com/css?family=Roboto:400,500' because it violates the following Content Security Policy directive: "style-src 'self' 'unsafe-inline'". Note that 'style-src-elem' was not explicitly set, so 'style-src' is used as a fallback.
Any helpful pointers will be greatly appreciated

Your CSP has errors:
a double default-src directives, the second one will be ignored.
in the part 'unsafe-inline'; https://*.googleapis/*/ https://*.fontawesome.com/*/ the directive name is missed, therefore browser counts a https://*.googleapis/*/ and https://*.fontawesome.com/*/ host-sources as directive's names'. The ; is a separator for directives, therefore after 'unsafe-inline'; a directive name should follow.
https://*.googleapis/*/ and https://*.fontawesome.com/*/ have invalid syntax because * is not allowed in the path-part or to cover top level domain zone, pls see how to correctly specify host-source.
I an not sure about gap: and content: scheme-sources, they not used in ordinary CSP, but they may be applicable in CSP for browser extensions.

Content Security Policy style-src refuses to load in Safari

Using Safari 11.0 I am receiving an error trying to load a CSS resource on a website I maintain. The page loads fine in Chrome and Firefox, and used to load fine in Safari, so I'm not sure how to resolve it. I'm guessing I need to modify the Content-Security-Policy header.
The specific error from the Safari console is Refused to load https://****.com/css/styles.css because it does not appear in the style-src directive of the Content Security Policy. As a result of this, the styles.css file isn't loading and the website is rendered incorrectly.
The security headers for the website (set via caddy) are:
Content-Security-Policy default-src 'self' https:; script-src 'self'; style-src 'self'; object-src 'none'
Content-Type text/html; charset=utf-8
Referrer-Policy strict-origin
Server Caddy
Strict-Transport-Security max-age=31536000; includeSubDomains; preload

Change the style-src part of the Content-Security-Policy header value so that it’s instead style-src 'self' https://****.com. That is, replace the ****.com in https://****.com with whatever the actual hostname is.