Content Security Policy: "img-src 'self' data:"
img-src * 'self' data: https:;
is not a good solution as it can make your app vulnerable against XSS attacks. The best solution here should be: img-src 'self' data:image/svg+xml
. If it doesn't work try: img-src 'self' data:
Consider changing it if you still have your directive as img-src * 'self' data: https:;
Try replacing this part:
img-src * 'self' data: https:;
So the complete tag:
<meta http-equiv="Content-Security-Policy" content="default-src *;
img-src * 'self' data: https:; script-src 'self' 'unsafe-inline' 'unsafe-eval' *;
style-src 'self' 'unsafe-inline' *">
Content Security Policy Reference
In addition to what has been contributed above by @manzapanza, you need to make sure if the CSP hasn't been configured in your application's web config file because if the setting exists it will override your meta tag setting in your index file like in the example below:
Index meta tag:
<meta http-equiv="Content-Security-Policy" content="default-src *;img-src * 'self' data: https:; script-src 'self' 'unsafe-inline' 'unsafe-eval' *; style-src 'self' 'unsafe-inline' *">
Being overridden by a CSP setting in your web config file.
Web config setting:
<add name="Content-Security-Policy" value="default-src https: http: 'unsafe-inline'; img-src * 'self' data: https:;" />
In a case like this, consider having one set mostly in the system's web config file.