Best method I was able to find for fine-tuning CSP was a combination of these two:
- looking at browser console
- configuring CSP to sent CSP reports as they sometimes contain more details can console messages
For the latter you'd need to add report-uri
to your CSP header and I use http://cspbuilder.info/ unique URLs as report collectors. You might also set the Content-Security-Policy-Report-Only
variant until it starts working.
It would also help if you write what browser you are using. The message doesn't look like CSP violation error from Chrome - they are way more verbose and really helpful than this one.