堆栈内存溢出
  简体   繁体   English

为什么 Firefox 忽略 'unsafe-inline' csp 指令?

[英]Why is Firefox ignoring 'unsafe-inline' csp directive?

 原文  2019-10-27 18:58:33       javascript/ firefox/ content-security-policy

问题描述

Using Firefox 69.0.1.使用 Firefox 69.0.1。

In a local HTML file I want to run a JavaScript script in a <script> tag.在本地 HTML 文件中,我想在<script>标记中运行 JavaScript 脚本。 However, even after adding但是,即使添加后

<meta http-equiv="Content-Security-Policy" content="default-src *; script-src * 'unsafe-inline';">

to the HTML header, Firefox still complains as follows:到 HTML header,Firefox 仍然抱怨如下:

Content Security Policy: The page’s settings blocked the loading of a resource at inline (“script-src”).

The line associated with the error is the line containing the opening <script> tag.与错误关联的行是包含开始<script>标记的行。


<!DOCTYPE html>
<html lang="en" />
<head>
    <title>Title</title>

    <meta http-equiv="Content-Security-Policy" content="default-src * 'unsafe-inline'; script-src * 'unsafe-inline';">
    <meta charset="utf-8">

    <script>
        console.log("Foo, bar!");
    </script>

</head>

<body>Nothing interesting</body>

</html>

This is working in Chrome.这在 Chrome 中有效。 What's up, Ff?怎么了,法? Why you so mean?你为什么这么刻薄?

1 个解决方案

解决方案1
 0  2019-12-31 16:23:56

Are you using NoScript and forgot to enable the scripts from your site?您是否在使用 NoScript 并忘记从您的站点启用脚本? This same error would occur in this case.在这种情况下也会发生同样的错误。

Also, you may wish to use a more extensive policy like:此外,您可能希望使用更广泛的策略,例如:

Header set Content-Security-Policy "default-src 'none'; script-src 'self' 'unsafe-inline'; connect-src 'self'; img-src 'self'; style-src 'self' 'unsafe-inline';"

暂无
暂无

声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.

相关问题 CSP 标头的 nonce 和 hash 之间哪个指令更好以避免不安全的内联? - Which directive is better between nonce and hash for CSP header to avoid unsafe-inline? 'unsafe-inline' 'unsafe-eval' 的 CSP 安全使用 - CSP safe usage of 'unsafe-inline' 'unsafe-eval' 如果声明了哈希,Chrome是否应该忽略unsafe-inline指令? - Is Chrome supposed to ignore the unsafe-inline directive if a hash is declared? 除了在CSP策略中添加“ unsafe-inline”以添加内联样式attr之外,setAttribute()是否还有其他选择? - Is there any alternative to setAttribute() other than adding 'unsafe-inline' in CSP policy for adding inline style attr? CSP没有跨域iframe的不安全内联寄存器加载处理程序 - CSP without unsafe-inline register onload handler for cross-origin iframe CSP-当动态放置页面元素时,如何解决style-src unsafe-inline - CSP - How to solve style-src unsafe-inline -when having dynamically positioned page elements 在我的站点中实现了 CSP,但第 3 方库使用内联 javascript。 我可以选择性地允许“不安全内联”吗? - Implemented CSP in my site, but a 3rd party library uses inline javascript. Can I selectively allow 'unsafe-inline'? 拒绝加载脚本,因为它违反了以下内容安全策略指令:“style-src 'self' 'unsafe-inline' - Refused to load the script because it violates the following Content Security Policy directive: "style-src 'self' 'unsafe-inline' 如何添加“unsafe-inline”关键字来运行内联 javascript? - How to add 'unsafe-inline' keyword to run inline javascript? 为什么在 Chrome/Edge 中允许 CSP script-src 指令,而在 Firefox 中不允许? - Why is the CSP script-src directive allowed in Chrome/Edge, but not in Firefox?
相关标签
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM