Joshua Whalen Joshua Whalen - 1 year ago 75
HTML Question

What exactly does the http-equiv value 'Content-Security-Policy' do?

I'm creating a mobile application using Apache Cordova/Adobe Phonegap, and this code snippet was automatically generated. It's giving me this error in the Console inside Google Chrome.

Refused to load the stylesheet
'' because it
violates the following Content Security Policy directive: "style-src
'self' 'unsafe-inline'".

What exactly does this HTML
element do?

<meta http-equiv="Content-Security-Policy" content="default-src * 'unsafe-inline'; style-src 'self' 'unsafe-inline'; media-src *" />

Answer Source

The <meta> tag provides Metadata (data about data) about the Web page. It's not displayed on the page, but it is parsed through by the browser.

Read more about the <meta> tag here.

Regarding the Meta tag in question, the Content-Security-Policy meta-tag allows you to reduce the risk of XSS attacks by allowing you to define where resources can be loaded from, preventing browsers from loading data from any other locations. This makes it harder for an attacker to inject malicious code to your site, as worded from this answer.