Your second variant is correct:
Content-Security-Policy
default-src 'self' *.facebook.com;
script-src 'self' *.facebook.com *.googleapis.com;
When you do specify the script-src
directive in the policy, browser do not use any sources from default-src
for scripts at all (do not performs fallback to default-src
). Only sources from script-src
will used.
So if your app loads scripts from 'self'
and *.facebook.com
, you have to specify these in script-src
independently of default-src
content.
CLICK HERE to find out more related problems solutions.