How to get past CSP (Content Security Policy) by allowing everything?

Question

The website works perfectly on local machine, but when I upload it to netlify it drops near 20 errors .

I just want to share one of my first projects with friends and not be bothered with security right now.

Tried implementing all the answers from this Allow All Content Security Policy? post, but still nothing.

This is my header that's getting the previously mentioned 20 errors:

<!DOCTYPE html>
<html lang="en">
  <head>
    <meta charset="UTF-8">
    <meta name="viewport" content="width=device-width, initial-scale=1.0">
    <meta http-equiv="Content-Security-Policy" content="
      default-src *  data: blob: filesystem: about: ws: wss: 'unsafe-inline' 'unsafe-eval' 'unsafe-dynamic'; 
      script-src * data: blob: 'unsafe-inline' 'unsafe-eval'; 
      connect-src * data: blob: 'unsafe-inline'; 
      img-src * data: blob: 'unsafe-inline'; 
      frame-src * data: blob: ; 
      style-src * data: blob: 'unsafe-inline';
      font-src * data: blob: 'unsafe-inline';">
    <link rel="stylesheet" href="css/main.css">

But trying all the other answers also resulted in something similar.

Answer 1

Initially you have a CSP published via HTTP header, this CSP has a characteristic script-src-elem 'none' rule (underlined in BLUE in the print screen).
You added CSP via the meta tag, this CSP has a characteristic 'unsafe-dynamic' token (underlined in GREEN in the print screen).

You can't relax first Content Security Policy by adding a second one.

Like as comment by sideshowbarker, just remove CSP in HTTP header. Check if you have netlify-plugin-csp-generator or netlify-plugin-csp-headers Netlify packages installed. Those can publish default CSP via HTTP header.

Answer 2

Same happened to me recently, you likely have a browser extension running that blocks scripts.

That's why you probably cannot even see these headers in google dev tools.

Disable it for that site and voila;)