内容安全策略允许内联样式,没有不安全的内联
[英]Content Security Policy allow inline style without unsafe-inline
问题描述
Using content security policy without style-src 'unsafe-inline' how do you allow styles like this? 
使用没有style-src'unsafe-inline'的内容安全策略,你如何允许这样的样式?
<span style="font-size: 16px;">Hello</span>
I've tried adding a nonce to them and adding that nonce to the CSP header but that doesn't seem to work 我已经尝试向他们添加一个nonce并将该nonce添加到CSP头但这似乎不起作用
<span style="font-size: 16px;" nonce="0611873de7e2db5985c289fdfa946caee2ae1860">Hello</span>
"style-src 'nonce-0611873de7e2db5985c289fdfa946caee2ae1860' 'self'"
Is there any way to do this without adding the 'unsafe-inline' directive?? 有没有办法在不添加'unsafe-inline'指令的情况下执行此操作?
2 个解决方案
解决方案1
2 2015-10-06 23:46:01
解决方案2
-2 2015-11-23 13:44:00
a common workaround for this issue is to write the inline-style (or inline-script) data to an input tag: 此问题的常见解决方法是将内联样式(或内联脚本)数据写入输入标记:
<input id="my-font-size" type="hidden" value="16" />
or in HTML5: 或者在HTML5中:
<input id="my-id" data-font-size="16" />
and process the data via an external included JavaScript (to avoid violating "script-src" csp): 并通过外部包含的JavaScript处理数据(以避免违反“script-src”csp):
$('span').css('font-size', $('#my-id').data('font-size'));
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.