jQuery 脚本导致“拒绝执行内联脚本:启用内联执行需要‘unsafe-inline’关键字、哈希……或随机数”
声明:本页面是StackOverFlow热门问题的中英对照翻译,遵循CC BY-SA 4.0协议,如果您需要使用它,必须同样遵循CC BY-SA许可,注明原文地址和作者信息,同时你必须将它归于原作者(不是我):StackOverFlow
原文地址: http://stackoverflow.com/questions/46256983/
Warning: these are provided under cc-by-sa 4.0 license. You are free to use/share it, But you must attribute it to the original authors (not me):
StackOverFlow
Script causes “Refused to execute inline script: Either the 'unsafe-inline' keyword, a hash… or a nonce is required to enable inline execution”
提问by Yi Kiat
I keep getting this error:
我不断收到此错误:
Refused to execute inline script because it violates the following Content Security Policy directive: "default-src 'self' data: gap: http://www.visitsingapore.comhttps://ssl.gstatic.com'unsafe-eval'". Either the 'unsafe-inline' keyword, a hash ('sha256-V+/U3qbjHKP0SaNQhMwYNm62gfWX4QHwPJ7We1PXokI='), or a nonce ('nonce-...') is required to enable inline execution. Note also that 'script-src' was not explicitly set, so 'default-src' is used as a fallback.
拒绝执行内联脚本,因为它违反了以下内容安全策略指令:“default-src 'self' 数据:gap: http://www.visitsingapore.com https://ssl.gstatic.com'unsafe-eval'” . 启用内联执行需要“unsafe-inline”关键字、哈希(“sha256-V+/U3qbjHKP0SaNQhMwYNm62gfWX4QHwPJ7We1PXokI=')或随机数(“nonce-...”)。还要注意 'script-src' 没有明确设置,所以 'default-src' 用作后备。
Can anyone tell me how to solve this and what does it mean? My code is:
谁能告诉我如何解决这个问题,这意味着什么?我的代码是:
<meta http-equiv="Content-Security-Policy" content="default-src 'self' data:gap: http://www.visitsingapore.com https://ssl.gstatic.com 'unsafe-eval'; style-src 'self' 'unsafe-inline'; media-src *">
<meta http-equiv="content-type" content="text/html; charset=UTF-8" />
<link rel="stylesheet" type="text/css" href="css/index.css">
<link rel="stylesheet" href="css/jquery.mobile-1.4.5.css">
<script src="lib/jquery-3.2.1.min.js"></script>
<script type="text/javascript" src="scripts/key.js"></script>
<script>$.ajax({
url: ' http://www.visitsingapore.com/api.listing.en.json',
type: 'GET',
beforeSend: function (xhr) {
xhr.setRequestHeader('email ID', '[email protected]');
xhr.setRequestHeader('token ID', '-------');
},
data: {},
success: function (qwe12) {
var TrueResult2 = JSON.stringify(qwe12);
document.write(TrueResult2);
},
error: function () { },
});</script>
采纳答案by sideshowbarker
The best way to fix this would be to take that $.ajax(…)call out of the document and move it into an external file called ajax-call.js, and then do this:
解决此问题的最佳方法是将该$.ajax(…)调用从文档中取出并将其移动到名为 的外部文件中ajax-call.js,然后执行以下操作:
<script src="ajax-call.js"></script>
The reason that's better is that if you're already going to the effort of setting a CSP policy for your document, then you should ideally go to the additional effort of removing all inline scripts.
这样做更好的原因是,如果您已经开始为您的文档设置 CSP 策略,那么理想情况下您应该额外努力删除所有内联脚本。
But if for some reason you really needto keep that script inline in the document, you can change that metaelement so that exact sha256 hash value from the error message is included as a source for the script-srcdirective, like this (with some line breaks added just for readability):
但是,如果由于某种原因您确实需要将该脚本内嵌在文档中,您可以更改该meta元素,以便将错误消息中的确切 sha256 哈希值包含为script-src指令的源,就像这样(仅添加了一些换行符)可读性):
<meta http-equiv="Content-Security-Policy"
content="default-src 'self' data:gap: http://www.visitsingapore.com
https://ssl.gstatic.com 'unsafe-eval';
style-src 'self' 'unsafe-inline';
media-src *;
script-src: 'sha256-V+/U3qbjHKP0SaNQhMwYNm62gfWX4QHwPJ7We1PXokI='
">
And a couple places to get a bit more information:
还有几个地方可以获取更多信息:
