You have said you can only load scripts from your own site (self). You have then tried to load a script from another site (www.google.com) and, because you've restricted this, you can't. That's the whole point of Content Security Policy (CSP).

你说过你只能从你自己的站点（self）加载脚本。然后，您尝试从另一个站点 (www.google.com) 加载脚本，但由于您对此进行了限制，因此无法加载。这就是内容安全策略 (CSP) 的全部意义所在。

You can change your first line to:

您可以将第一行更改为：

<meta http-equiv="Content-Security-Policy" content="default-src *; style-src 'self' 'unsafe-inline'; script-src 'self' 'unsafe-inline' 'unsafe-eval' http://www.google.com">

Or, alternatively, it may be worth removing that line completely until you find out more about CSP. Your current CSP is pretty lax anyway (allowing unsafe-inline, unsafe-evaland a default-srcof *) so probably is not adding too much value to be honest.

或者，在您找到有关 CSP 的更多信息之前，完全删除该行可能是值得的。无论如何unsafe-inline，您当前的 CSP 非常松散（允许,unsafe-eval和 a default-srcof *），所以老实说可能不会增加太多价值。

Having a similar error type. First, I tried to add the meta tags in the code but it didn't work.

具有类似的错误类型。首先，我尝试在代码中添加元标记，但没有成功。

I found out that on nginx webserver you may have a security setting that may block external code to run:

我发现在 nginx 网络服务器上，您可能有一个安全设置，可能会阻止外部代码运行：

#security directives
server_tokens off;
add_header X-Frame-Options SAMEORIGIN;
add_header X-Content-Type-Options nosniff;
add_header X-XSS-Protection "1; mode=block";
add_header Content-Security-Policy "default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval'  https://ajax.googleapis.com  https://ssl.google-analytics.com https://assets.zendesk.com https://connect.facebook.net; img-src 'self' https://ssl.google-analytics.com https://s-static.ak.facebook.com https://assets.zendesk.com; style-src 'self' 'unsafe-inline' https://assets.zendesk.com; font-src 'self' https://fonts.gstatic.com  https://themes.googleusercontent.com; frame-src https://player.vimeo.com https://assets.zendesk.com https://www.facebook.com https://s-static.ak.facebook.com https://tautt.zendesk.com; object-src 'none'";

Check the Content-Security-Policy, you may need to add the source reference.

检查 Content-Security-Policy，您可能需要添加源引用。

Since this question is the first result on Google for this error message, I'll put this here.

由于此问题是此错误消息在 Google 上的第一个结果，因此我将其放在这里。

With my ASP.NET Core Angularproject running in Visual Studio 2019, sometimes I get this error message in the Firefox console:

我的ASP.NET Core Angular项目在 Visual Studio 2019 中运行，有时我会在 Firefox 控制台中收到此错误消息：

Content Security Policy: The page's settings blocked the loading of a resource at inline (“default-src”).

内容安全策略：页面设置阻止加载内联资源（“default-src”）。

In Chrome, the error message is instead:

在 Chrome 中，错误消息改为：

Failed to load resource: the server responded with a status of 404 ()

加载资源失败：服务器响应状态为 404()

In my case it had nothing to do with my Content Security Policy, but instead was simply the result of a TypeScript error on my part.

在我的情况下，它与我的内容安全策略无关，而只是我的 TypeScript 错误的结果。

Check your IDE output window for a TS error, like:

检查 IDE 输出窗口是否存在 TS 错误，例如：

> ERROR in src/app/shared/models/person.model.ts(8,20): error TS2304: Cannot find name 'bool'.
>      
> i ?wdm?: Failed to compile.

I got around this by upgrading both the version of Angular that I was using (from v8 -> v9) and the version of Typescript (from 3.5.3 -> latest)

我通过升级我使用的 Angular 版本（从 v8 -> v9）和 Typescript 版本（从 3.5.3 -> 最新）解决了这个问题

I managed to allow all myrequisites with this header:

我设法使用此标头允许我的所有必要条件：

header("Content-Security-Policy: default-src *; style-src 'self' 'unsafe-inline'; font-src 'self' data:; script-src 'self' 'unsafe-inline' 'unsafe-eval' stackexchange.com");                    

You can disable them in your browser. FireFox

您可以在浏览器中禁用它们。 火狐

Type about:configin the FireFox address bar and find security.csp.enableand set it to false

键入about:config在Firefox地址栏中，找到security.csp.enable并将其设置为false

ChromeYou can install the extension called Disable Content-Security-Policyto disable CSP

Chrome您可以安装名为Disable Content-Security-Policy禁用 CSP的扩展程序