CSP: Meta Policy Invalid Directive

Risk:
Medium

Type:
Passive

CWE:
693

Summary: The policy specified via meta element contains either or both the sandbox or frame-ancestors directive, which are not permitted inside meta CSP definitions.

Solution: Ensure that your web server, application server, load balancer, etc. is properly configured to set the Content-Security-Policy header.

References

https://www.w3.org/TR/CSP/

https://caniuse.com/#search=content+security+policy

https://content-security-policy.com/

https://github.com/HtmlUnit/htmlunit-csp

https://developers.google.com/web/fundamentals/security/csp#policy_applies_to_a_wide_variety_of_resources