The Content Security Policy Error


I am implementing the OKTA login with the Ionic framework (version 4).

For Android everything works correctly, for ios however after opening a webview with the inappbrowser plugin at the link https://dev-… and entering the correct credentials I get this error:

’ [Error] The Content Security Policy … was delivered in report-only mode, but does not specify a ‘report-uri’; the policy will have no effect. Please either add a ‘report-uri’ directive, or deliver the policy via the ‘Content-Security-Policy’ header.’

This error blocks the closing of the webview and does not allow me to proceed,

can you help me resolve this error?


As per Content-Security-Policy-Report-Only - HTTP | MDN

The directives of the Content-Security-Policy header can also be applied to Content-Security-Policy-Report-Only.
The CSP report-to directive should be used with this header, otherwise this header will be an expensive no-op machine.

So it is not mandatory to include the report-to.

If you have a custom domain URL registered for your Org you might check if the report-only CSP header is being returned for the discovery document.