You can’t override the policy in the Content-Security-Policy HTTP header with a less-restrictive policy. You need to instead change the code that’s setting the value of the Content-Security-Policy HTTP header. eg. Header set Content-Security-Policy "script-src ...;"
Should be changed to Header set Content-Security-Policy "script-src 'unsafe-inline' 'unsafe-eval' https://www.blockonomics.co/js/ https://maxcdn.bootstrapcdn.com/bootstrap/"
Please let me know if this solves your issue, or if you require any further assistance.
Both https://www.blockonomics.co/js/ and https://maxcdn.bootstrapcdn.com/bootstrap/ should be added to the headers in the next.config.js file
module.exports = {
async headers() {
return [
{
// Apply these headers to all routes in your application.
source: '/:path*',
headers: [
{
key: 'Content-Security-Policy',
value: "script-src 'self' 'unsafe-inline' 'unsafe-eval' https://www.blockonomics.co/js/ https://maxcdn.bootstrapcdn.com/bootstrap/",
}
],
},
]
},
}
Your application may also be using a module similar to next-secure-headers, which helps manage the headers in your app. The next.config.js configuration would look similar to the following in this case: