I currently have a hard time understanding how to correctly change the Content-Security-Policy META tag. This is what I want to have:
<meta http-equiv="Content-Security-Policy" content="* 'self' default-src * data: blob: 'unsafe-inline' 'unsafe-eval' ws: wss: cdvfile: file: ;">
This is what is currently in my Meteor-generated HTML:
<meta http-equiv="Content-Security-Policy" content="default-src * gap: data: blob: 'unsafe-inline' 'unsafe-eval' ws: wss:;">
So far I have found out that the code comes from here:
And I have found this library which promises to help overriding the boilerplate-generated code:
Unfortunately this lib does not always work, so I searched further and read about the meteor browser-policy package
Then, in the meteor documentation there is this paragraph:
For now, Meteor adds a permissive <meta http-equiv=“Content-Security-Policy” content="…" header to the generated index page. We may want to allow more fine grained control in the future (through integrating with the browser-policy package for instance.)
Which leaves me confused. “We may want allow … in the future … through browser-policy”
Does it mean that the browser-policy is not the right way to do it today but only possibly in the future?
To be honest, I am absolutely unsure what the correct way of changing content-security-policy META tag is. Anyone who can point me to the right direction?