I have Developed facebook instant game with firebase storage. i am getting the following error (blocked:csp) after uploading a zip to instant game hosting....
0

Error Number 1 >>

index.html?version=5&gcgs=1&source=fbinstant-2825523227545808&entry_point=www_app_bookmark&IsMobileWeb=0:1 Refused to load the script 'https://www.gstatic.com/firebasejs/7.14.1/firebase-app.js' because it violates the following Content Security Policy directive: "script-src 'self' 'unsafe-inline' 'unsafe-eval' *.facebook.com connect.facebook.net cdn.mixpnl.com *.google-analytics.com web.localytics.com *.googletagmanager.com blob: *.cloudfront.net *.amazonaws.com *.googleapis.com *.firebaseapp.com *.firebaseio.com *.8686c.com *.cncovs.com *.aliyun.com *.aliyuncs.com *.wsdvs.com *.console.re *.kunlunar.com *.layabox.com *.windows.net *.msecnd.net *.anysdk.com cdn.trackjs.com cdn.firebase.com *.kochava.com *.akamaized.net *.cocos.com *.hinet.net *.playfab.com code.createjs.com *.zdassets.com websdk.appsflyer.com cdnjs.cloudflare.com ". Note that 'script-src-elem' was not explicitly set, so 'script-src' is used as a fallback.

Error Number 2 >>

Refused to load the script 'https://cdn.jsdelivr.net/npm/phaser@3.23.0/dist/phaser-facebook-instant-games.min.js' because it violates the following Content Security Policy directive: "script-src 'self' 'unsafe-inline' 'unsafe-eval' *.facebook.com connect.facebook.net cdn.mixpnl.com *.google-analytics.com web.localytics.com *.googletagmanager.com blob: *.cloudfront.net *.amazonaws.com *.googleapis.com *.firebaseapp.com *.firebaseio.com *.8686c.com *.cncovs.com *.aliyun.com *.aliyuncs.com *.wsdvs.com *.console.re *.kunlunar.com *.layabox.com *.windows.net *.msecnd.net *.anysdk.com cdn.trackjs.com cdn.firebase.com *.kochava.com *.akamaized.net *.cocos.com *.hinet.net *.playfab.com code.createjs.com *.zdassets.com websdk.appsflyer.com cdnjs.cloudflare.com ". Note that 'script-src-elem' was not explicitly set, so 'script-src' is used as a fallback.

Note: I have also updated csp meta tag of my html5 game with

   <meta http-equiv="content-type" content="text/html; charset=utf-8 ;">
<meta http-equiv="Content-Security-Policy" content=" script-src 'self' 'unsafe-inline' 'unsafe-eval'
    https://www.gstatic.com/
    https://cdn.jsdelivr.net/
    https://ajax.googleapis.com/
    https://connect.facebook.net/
    https://www.googletagmanager.com/ 
    https://apps-2825523227545808.apps.fbsbx.com/ ">

Hope for a Quick Reply.

Thanks Zaquwan Saifi, Glidesoft Technologies Address : Moradabad UP India.

Zaquwan
Asked about 3 months ago