因为它违反了以下内容安全策略指令:“style-src'self'”
[英]because it violates the following Content Security Policy directive: “style-src 'self'”
问题描述
I have a webpage with this header. 
我有一个带有此标题的网页。
It's a non interactive page with just twitter bootstrap js. 这是一个只有twitter bootstrap js的非交互式页面。
<head>
<title>Versions: unknown bl version vs. 1.0.487 [flavor: HISTORIC_TIME]</title>
<link rel="stylesheet" href="https://maxcdn.bootstrapcdn.com/bootstrap/3.3.4/css/bootstrap.min.css">
<link rel="stylesheet" href="https://maxcdn.bootstrapcdn.com/bootstrap/3.3.4/css/bootstrap-theme.min.css">
<script type="script" src="https://maxcdn.bootstrapcdn.com/bootstrap/3.3.4/js/bootstrap.min.js"></script>
<meta content="text/html; charset=utf-8" http-equiv="content-type">
<link rel="icon" href="/jenkins/view/QA/job/RoutingRegression/ws/src/main/resources/html_pages/images/favicon.png" type="image/gif" sizes="16x16">
</head>
I saw some posts on stackoverflow but couldn't understand how to fix this. 我在stackoverflow上看到了一些帖子,但无法理解如何解决这个问题。
Refused to load the stylesheet ' https://maxcdn.bootstrapcdn.com/bootstrap/3.3.4/css/bootstrap.min.css ' because it violates the following Content Security Policy directive: "style-src 'self'".
landing_page.html:1 Refused to load the stylesheet ' https://maxcdn.bootstrapcdn.com/bootstrap/3.3.4/css/bootstrap-theme.min.css ' because it violates the following Content Security Policy directive: "style-src 'self'".
I tried to change the <meta> to 我试图将<meta>更改为
<meta content="text/html; charset=utf-8 ;script-src 'self' http://onlineerp.solution.quebec 'unsafe-inline' 'unsafe-eval';" http-equiv="content-type">
but it didn't help 但它没有帮助
any idea? 任何想法?
3 个解决方案
解决方案1
9 2016-01-26 14:28:20
Try splitting out the CSP into a separate tag and add a style-src reference, like this: 尝试将CSP拆分为单独的标记并添加style-src引用,如下所示:
<meta http-equiv="content-type" content="text/html; charset=utf-8 ;">
<meta http-equiv="Content-Security-Policy" content="script-src 'self' http://onlineerp.solution.quebec 'unsafe-inline' 'unsafe-eval'; style-src 'self' maxcdn.bootstrapcdn.com">
This should say that you trust styles coming from maxcdn.bootstrapcdn.com. 这应该说你信任来自maxcdn.bootstrapcdn.com的样式。
Great explanation of Content Security Policy is at http://content-security-policy.com/ 有关内容安全策略的详细解释,请访问http://content-security-policy.com/
解决方案2
0 2018-05-10 17:40:11
You can't use CDN for js, you will have to copy the content of " https://maxcdn.bootstrapcdn.com/bootstrap/3.3.4/css/bootstrap.min.css " and create a new file inside your js directory and call it bootstrap.min.js and paste everything in it, then in your HTML file header remove the line that has this URL in it and use this one instead 您不能将CDN用于js,您必须复制“ https://maxcdn.bootstrapcdn.com/bootstrap/3.3.4/css/bootstrap.min.css ”的内容并在您的js中创建一个新文件目录并将其命名为bootstrap.min.js并将其中的所有内容粘贴到其中,然后在HTML文件头中删除包含此URL的行并使用此代替
<script src="js/jquery.min.js"></script>
Make sure that this is the write path for the file that contains all the data in the mentioned url 确保这是包含所提及URL中所有数据的文件的写入路径
Regards 问候
解决方案3
0 2018-10-13 09:36:50
Add Content-Security-Policy meta tag to your header, like so: 将Content-Security-Policy元标记添加到标题中,如下所示:
<meta http-equiv="Content-Security-Policy" content="default-src 'self' *.bootstrapcdn.com">
It will allow you to load content such as JavaScript, Images, CSS, Fonts, AJAX requests, Frames and HTML5 Media from domain bootstrapcdn.com . 它允许您从域bootstrapcdn.com加载JavaScript,图像,CSS,字体,AJAX请求,框架和HTML5媒体等内容。
If you still have the same error report, the issue may lie in the framework you are using. 如果您仍然有相同的错误报告,则问题可能在于您使用的框架。 I had similar problem with play framework 2.6.17, that has it's own Content-Security-Policy headers enabled by default, fixed with: 我在播放框架2.6.17中遇到了类似的问题,它默认启用了自己的Content-Security-Policy标头,修复了:
play.filters.headers.contentSecurityPolicy="default-src 'self' *.bootstrapcdn.com"
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.