score:3

Accepted answer

The

play.filters.headers.contentSecurityPolicy = null

is correct, now remove

<meta http-equiv="Content-Security-Policy" content="default-src 'self'">

and then it must work as you expected

score:2

The best way to avoid this problem would be to use an extra javascript file which contains your code. but i had a similiar problem and solved it by setting a very long policy in my application.conf

play.filters.headers.contentSecurityPolicy = "default-src 'self';script-src 'self' https://my-site.com 'unsafe-inline';style-src 'self' https://my-site.com;font-src 'self' https://my-site.com;img-src 'self' https://my-site.com data:"

my-site.com is the hostname from where my app is served.


Related Query

More Query from same tag