Accepted answer


play.filters.headers.contentSecurityPolicy = null

is correct, now remove

<meta http-equiv="Content-Security-Policy" content="default-src 'self'">

and then it must work as you expected


The best way to avoid this problem would be to use an extra javascript file which contains your code. but i had a similiar problem and solved it by setting a very long policy in my application.conf

play.filters.headers.contentSecurityPolicy = "default-src 'self';script-src 'self' 'unsafe-inline';style-src 'self';font-src 'self';img-src 'self' data:" is the hostname from where my app is served.

Related Query

More Query from same tag