Javascript 包含脚本的内容安全策略
声明:本页面是StackOverFlow热门问题的中英对照翻译,遵循CC BY-SA 4.0协议,如果您需要使用它,必须同样遵循CC BY-SA许可,注明原文地址和作者信息,同时你必须将它归于原作者(不是我):StackOverFlow
原文地址: http://stackoverflow.com/questions/48551787/
Warning: these are provided under cc-by-sa 4.0 license. You are free to use/share it, But you must attribute it to the original authors (not me):
StackOverFlow
Content security policy including a script
提问by Mattia Billa
I need to include this script https://apis.google.com/js/api:client.jsin my website. On Google Chrome it works fine, but on Firefox(and IE obviously), I get some errors:
我需要在我的网站中包含这个脚本https://apis.google.com/js/api:client.js。在 Google Chrome 上它工作正常,但在Firefox(显然还有 IE)上,我收到了一些错误:
Content Security Policy: Ignoring “‘unsafe-inline'” within script-src: ‘strict-dynamic' specified
Content Security Policy: Ignoring “https:” within script-src: ‘strict-dynamic' specified
Content Security Policy: Ignoring “http:” within script-src: ‘strict-dynamic' specified
内容安全策略:忽略 script-src 中的“'unsafe-inline'”:'strict-dynamic' 指定
内容安全策略:忽略 script-src 中的“https:”:'strict-dynamic' 指定
内容安全策略:忽略“http” :” 在 script-src 中:指定了 'strict-dynamic'
I tried to change the content security policyheader in a meta tag but it didn't work.
我试图更改元标记中的内容安全策略标头,但没有奏效。
I tried with all of these:
我尝试了所有这些:
<meta http-equiv="Content-Security-Policy" content="default-src 'none'; img-src 'self'; script-src 'self' apis.google.com; style-src 'self';">
<meta http-equiv="Content-Security-Policy" content="default-src 'self' apis.google.com">
<meta http-equiv="Content-Security-Policy" content="script-src 'self' 'unsafe-eval' https://*.google.com; object-src 'self' 'unsafe-eval'">
<meta http-equiv="Content-Security-Policy" content="script-src 'self' 'unsafe-eval' apis.google.com;">
回答by Peter Rowntree
I know this question is a year old, but it's still one of the first things to come up when searching for this problem, and as yet doesn't have the correct answer.
我知道这个问题已经有一年了,但它仍然是搜索这个问题时首先出现的问题之一,目前还没有正确的答案。
I understand. I'm one of those people who likes to see a pristine console in production, so stuff like this drives me nuts, but there's actually nothing we can do about it. Firefox is reporting warnings out to the console when it shouldn't.
我明白。我是那些喜欢在生产中看到原始控制台的人之一,所以像这样的东西让我发疯,但实际上我们无能为力。Firefox 在不应该向控制台报告警告时。
Both Mozillaand Googlerecommend including fallback CSP1 policies along with CSP3's 'strict-dynamic'. Browsers that understand 'strict-dynamic' should ignore the CSP1 policies, and browsers that don't should ignore the unrecognized 'strict-dynamic' and follow the CSP1 policies. The operative word is ignore. Truly ignoring includes not announcing you're ignoring.
双方的Mozilla和谷歌建议包括CSP3的“严格的动态”一起回退CSP1政策。理解 'strict-dynamic' 的浏览器应该忽略 CSP1 策略,不应该忽略无法识别的 'strict-dynamic' 并遵循 CSP1 策略的浏览器。操作词是ignore。真正的无视包括不宣布你在无视。
回答by Rainb
You have to edit the CSP headers not on the HTML, but on the server HTTP headers, do you have control of the server?
您不必在 HTML 上编辑 CSP 标头,而是在服务器 HTTP 标头上编辑 CSP 标头,您可以控制服务器吗?
Meta tags and such will be ignored because the HTTP Headers take precedence, fix those first.
元标记等将被忽略,因为 HTTP 标头优先,首先修复它们。
