[英]How to check what is blocked through Content-Security-Policy?
I tried to set the following Content-Security-Policy header for my website: 我尝试为我的网站设置以下Content-Security-Policy标头:
header('Content-Security-Policy: "default-src \'none\'; script-src \'self\'; connect-src \'self\'; img-src * data:; style-src \'self\';"');
But the result was in some parts strange. 但是结果在某些方面是奇怪的。 For example this <table>
: 例如,这个<table>
:
As styles work I tried to find out through Google Chrome Developer Tools which content was blocked, but I had no success to find error messages or similar. 在样式工作时,我试图通过Google Chrome开发者工具找出哪些内容被阻止,但是我没有成功找到错误消息或类似内容。
How can I find out what caused this style change? 我如何找出导致此样式更改的原因?
Partial code of this table: 该表的部分代码:
<table id=threads cellspacing=1>
<col />
<col style="width:66%" />
<col style="width:8%" />
<col style="width:26%" />
<tr>
<th colspan=2>Ähnliche Beiträge</th>
<th>Re:<br />√</th>
<th>Letzter Beitrag</th>
</tr>
<tr onmouseover="this.className='even'" onmouseout="this.className=''">
...
If you want to allow inline styles, use style-src 'self' 'unsafe-inline'
instead. 如果要允许内联样式,请改用style-src 'self' 'unsafe-inline'
。
Inline styles are only allowed if the CSP header explicitly includes 'unsafe-inline'
for them. 仅当CSP标头中显式包含'unsafe-inline'
,才允许使用内联样式。
Your CSP header lacks 'unsafe-inline'
, so all your style="width:66%"
, etc., are not applied. 您的CSP标头缺少'unsafe-inline'
,因此不会应用您的所有style="width:66%"
等。
As far as getting more detailed information back to pinpoint exactly what styles have been block, I think there's not a way to get that. 至于获得更详细的信息以准确确定哪些样式已被阻止,我认为没有办法解决。 Even if you use the report-ui
directive , I think from that you'll only get back the same level of detail you get back from your browser, which is just that you have a document which is using inline styles, which browsers will report with message something like this: 即使您使用report-ui
指令 ,我认为从浏览器中获取的详细信息级别也将相同,这只是您有一个使用内联样式的文档,浏览器将报告该样式带有这样的消息:
Refused to apply inline style because it violates the following Content Security Policy directive: "default-style 'self'" 拒绝应用内联样式,因为它违反了以下内容安全策略指令:“ default-style'self'”
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.