内容安全策略和mod_pagespeed evals
[英]Content Security Policy and mod_pagespeed evals
问题描述
I'm trying to set up CPS rules for my website. 
我正在尝试为我的网站设置CPS规则。 Also I try to prevent using 'unsafe-eval' for scripts but I found out that mod_pagespeeds uses it a lot. 另外我尝试防止对脚本使用'unsafe-eval' ,但我发现mod_pagespeeds使用了很多。 Here is some code generated by mod_pagespeeds on webpage: 以下是mod_pagespeeds在网页上生成的一些代码:
<script>eval(mod_pagespeed_N_OeYaMDDO);</script> <script>eval(mod_pagespeed_vvygFO_kog);</script>
How to fix this? 如何解决这个问题?
Also some of plugins installed on the website (based on wordpress) like to add inline scripts. 另外一些安装在网站上的插件(基于wordpress)喜欢添加内联脚本。 Is there way to fix this too? 有办法解决这个问题吗?
And the last question. 最后一个问题。 How bad is an idea to use 'unsafe-inline' for styles? 对于样式使用'unsafe-inline'的想法有多糟糕? Google gives an advice to use inline styles for fast page loading but CPS says it bad practice. 谷歌提出了使用内联样式进行快速页面加载的建议,但CPS表示这是不好的做法。 Whome to believe? 谁相信?
1 个解决方案
解决方案1
0 2018-03-04 01:31:33
From the documentation: 从文档:
As of 1.13.35.1 PageSpeed is able to adapt its optimizations according to any Content Security Policies specified in the response headers.
To opt-in configure the following: ModPagespeedHonorCsp on 要选择加入,请配置以下内容: ModPagespeedHonorCsp on
I enabled the above on my server and removed unsafe-eval as an allowed CSP script source. 我在我的服务器上启用了上述功能,并将unsafe-eval作为允许的CSP脚本源删除。 mod_pagespeed, however, seemed to ignore that and still use evals. 然而,mod_pagespeed似乎忽略了这一点,仍然使用了evals。 The Chrome dev tools console showed quite a few errors. Chrome开发工具控制台显示了很多错误。 I documented the problem here: 我在这里记录了问题:
https://groups.google.com/forum/#!topic/mod-pagespeed-discuss/65Emhm1O1xs https://groups.google.com/forum/#!topic/mod-pagespeed-discuss/65Emhm1O1xs
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.