Javascript 因为它违反了以下内容安全策略指令:“style-src 'self'”
声明:本页面是StackOverFlow热门问题的中英对照翻译,遵循CC BY-SA 4.0协议,如果您需要使用它,必须同样遵循CC BY-SA许可,注明原文地址和作者信息,同时你必须将它归于原作者(不是我):StackOverFlow
原文地址: http://stackoverflow.com/questions/35014990/
Warning: these are provided under cc-by-sa 4.0 license. You are free to use/share it, But you must attribute it to the original authors (not me):
StackOverFlow
because it violates the following Content Security Policy directive: "style-src 'self'"
提问by Elad Benda
I have a webpage with this header.
我有一个带有此标题的网页。
It's a non interactive page with just twitter bootstrap js.
这是一个只有 twitter bootstrap js 的非交互式页面。
<head>
<title>Versions: unknown bl version vs. 1.0.487 [flavor: HISTORIC_TIME]</title>
<link rel="stylesheet" href="https://maxcdn.bootstrapcdn.com/bootstrap/3.3.4/css/bootstrap.min.css">
<link rel="stylesheet" href="https://maxcdn.bootstrapcdn.com/bootstrap/3.3.4/css/bootstrap-theme.min.css">
<script type="script" src="https://maxcdn.bootstrapcdn.com/bootstrap/3.3.4/js/bootstrap.min.js"></script>
<meta content="text/html; charset=utf-8" http-equiv="content-type">
<link rel="icon" href="/jenkins/view/QA/job/RoutingRegression/ws/src/main/resources/html_pages/images/favicon.png" type="image/gif" sizes="16x16">
</head>
I saw some posts on stackoverflow but couldn't understand how to fix this.
我在 stackoverflow 上看到了一些帖子,但不明白如何解决这个问题。
Refused to load the stylesheet 'https://maxcdn.bootstrapcdn.com/bootstrap/3.3.4/css/bootstrap.min.css' because it violates the following Content Security Policy directive: "style-src 'self'".
landing_page.html:1 Refused to load the stylesheet 'https://maxcdn.bootstrapcdn.com/bootstrap/3.3.4/css/bootstrap-theme.min.css' because it violates the following Content Security Policy directive: "style-src 'self'".
拒绝加载样式表“ https://maxcdn.bootstrapcdn.com/bootstrap/3.3.4/css/bootstrap.min.css”,因为它违反了以下内容安全策略指令:“style-src 'self'”。
Landing_page.html:1 拒绝加载样式表 ' https://maxcdn.bootstrapcdn.com/bootstrap/3.3.4/css/bootstrap-theme.min.css' 因为它违反了以下内容安全策略指令:“style- src '自我'”。
I tried to change the <meta>to
我试图改变<meta>到
<meta content="text/html; charset=utf-8 ;script-src 'self' http://onlineerp.solution.quebec 'unsafe-inline' 'unsafe-eval';" http-equiv="content-type">
but it didn't help
但它没有帮助
any idea?
任何的想法?
回答by Rob Imig
Try splitting out the CSP into a separate tag and add a style-src reference, like this:
尝试将 CSP 拆分成一个单独的标签并添加一个 style-src 引用,如下所示:
<meta http-equiv="content-type" content="text/html; charset=utf-8 ;">
<meta http-equiv="Content-Security-Policy" content="script-src 'self' http://onlineerp.solution.quebec 'unsafe-inline' 'unsafe-eval'; style-src 'self' maxcdn.bootstrapcdn.com">
This should say that you trust styles coming from maxcdn.bootstrapcdn.com.
这应该说您信任来自 maxcdn.bootstrapcdn.com 的样式。
Great explanation of Content Security Policy is at http://content-security-policy.com/
内容安全政策的精彩解释位于http://content-security-policy.com/
回答by JetSet
You can't use CDN for js, you will have to copy the content of "https://maxcdn.bootstrapcdn.com/bootstrap/3.3.4/css/bootstrap.min.css" and create a new file inside your js directory and call it bootstrap.min.js and paste everything in it, then in your HTML file header remove the line that has this URL in it and use this one instead
您不能将 CDN 用于 js,您必须复制“ https://maxcdn.bootstrapcdn.com/bootstrap/3.3.4/css/bootstrap.min.css”的内容并在您的 js 中创建一个新文件目录并将其命名为 bootstrap.min.js 并将所有内容粘贴到其中,然后在您的 HTML 文件标题中删除包含此 URL 的行并使用此 URL
<script src="js/jquery.min.js"></script>
Make sure that this is the write path for the file that contains all the data in the mentioned url
确保这是包含上述 url 中所有数据的文件的写入路径
Regards
问候
回答by German Amvrossiev
Add Content-Security-Policy meta tag to your header, like so:
将 Content-Security-Policy 元标记添加到您的标题中,如下所示:
<meta http-equiv="Content-Security-Policy" content="default-src 'self' *.bootstrapcdn.com">
It will allow you to load content such as JavaScript, Images, CSS, Fonts, AJAX requests, Frames and HTML5 Media from domain bootstrapcdn.com.
它将允许您从域加载 JavaScript、图像、CSS、字体、AJAX 请求、框架和 HTML5 媒体等内容bootstrapcdn.com。
If you still have the same error report, the issue may lie in the framework you are using. I had similar problem with play framework 2.6.17, that has it's own Content-Security-Policyheaders enabled by default, fixed with:
如果您仍然有相同的错误报告,则问题可能出在您使用的框架中。我在播放框架 2.6.17 中遇到了类似的问题,Content-Security-Policy默认情况下启用了它自己的标头,修复了:
play.filters.headers.contentSecurityPolicy="default-src 'self' *.bootstrapcdn.com"
