内容安全策略指令:“script-src'self'blob:filesystem:chrome-extension-resource:”在获取是否
[英]Content Security Policy directive: “script-src 'self' blob: filesystem: chrome-extension-resource:” While fetching whether
问题描述
I am using jQuery simple whether plugin to get the whether and trying to create a chrome widget. 
我正在使用jQuery简单的插件来获取是否并尝试创建一个chrome小部件。
While loading the file as a chrome extensions, I am getting error, after looking all the help provided by google and here it self, still I am not able to resolve this issue. 在将文件作为Chrome扩展程序加载时,我收到错误,在查看谷歌提供的所有帮助后,我自己仍然无法解决此问题。
Below is the error for yahoo whether 以下是雅虎的错误
> jquery-2.1.3.min.js:4 Refused to load the script
> 'https://query.yahooapis.com/v1/public/yql?format=json&rnd=2016437&diagnosti…ces(1)%20where%20text=%22New%20Delhi%22)%20and%20u=%22c%22&_=1462326587463'
> because it violates the following Content Security Policy directive:
> "script-src 'self' blob: filesystem: chrome-extension-resource:".
Another error which is for font, 另一个错误是字体,
> Refused to load the font
> 'data:application/octet-stream;base64,AAEAAAAPAIAAAwBwR1NVQrD+s+0AAAD8AAAAQk…GIUViwQIhYsQNkRLEmAYhRWLoIgAABBECIY1RYsQMARFlZWVmzDAIBDCq4Af+FsASNsQIARAAA'
> because it violates the following Content Security Policy directive:
> "default-src *". Note that 'font-src' was not explicitly set, so
> 'default-src' is used as a fallback.
Used manifest code are 使用过的清单代码是
"content_security_policy": "script-src 'self'; object-src 'self' https://query.yahooapis.com/",
"permissions": [
"tabs", "<all_urls", "http://localhost/",
"http://*/*", "https://*/*", "https://query.yahooapis.com/*"
],
"content_scripts":
[{
"css": [
"css/component.css",
"css/tooltip-line.css",
"css/modal.css"
],
"js": [
"js/modernizr.custom.js",
"js/jquery-2.1.3.min.js",
"js/jquery.simpleWeather.min.js",
"js/handlebars-v4.0.5.js",
"js/moment.min.js",
"js/background.js"
],
"matches": [ "http://*/*", "https://*/*"]
}]
Also In my html file i am using this meta tag 另外在我的html文件中我正在使用这个元标记
<meta http-equiv="Content-Security-Policy" content="default-src *; style-src 'self' http://* 'unsafe-inline'; script-src 'self' http://* 'unsafe-inline' 'unsafe-eval'" />
Can some one please help me to how i can solve this. 有人可以帮我解决这个问题。
1 个解决方案
解决方案1
0 2018-03-06 13:05:30
Your content-security-policy has "script-src 'self' which means scripts cannot be loaded from a third party URL. 您的content-security-policy有"script-src 'self'这意味着无法从第三方URL加载脚本。
You have specified yahoo API in the object-src directive. 您已在object-src指令中指定了yahoo API。 object-src directive ( MDN ) specifies valid sources for the <object> , <embed> , and <applet> elements. object-src指令( MDN )指定<object> , <embed>和<applet>元素的有效源。
To load the script from a third party, you have to specify in script-src directive like this: 要从第三方加载脚本,您必须在script-src指令中指定如下:
"content_security_policy": "script-src https://query.yahooapis.com/ 'self'; ..."
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.