[英]Why is Firefox ignoring 'unsafe-inline' csp directive?
Using Firefox 69.0.1.使用 Firefox 69.0.1。
In a local HTML file I want to run a JavaScript script in a <script>
tag.在本地 HTML 文件中,我想在
<script>
标记中运行 JavaScript 脚本。 However, even after adding但是,即使添加后
<meta http-equiv="Content-Security-Policy" content="default-src *; script-src * 'unsafe-inline';">
to the HTML header, Firefox still complains as follows:到 HTML header,Firefox 仍然抱怨如下:
Content Security Policy: The page’s settings blocked the loading of a resource at inline (“script-src”).
The line associated with the error is the line containing the opening <script>
tag.与错误关联的行是包含开始
<script>
标记的行。
<!DOCTYPE html>
<html lang="en" />
<head>
<title>Title</title>
<meta http-equiv="Content-Security-Policy" content="default-src * 'unsafe-inline'; script-src * 'unsafe-inline';">
<meta charset="utf-8">
<script>
console.log("Foo, bar!");
</script>
</head>
<body>Nothing interesting</body>
</html>
This is working in Chrome.这在 Chrome 中有效。 What's up, Ff?
怎么了,法? Why you so mean?
你为什么这么刻薄?
Are you using NoScript and forgot to enable the scripts from your site?您是否在使用 NoScript 并忘记从您的站点启用脚本? This same error would occur in this case.
在这种情况下也会发生同样的错误。
Also, you may wish to use a more extensive policy like:此外,您可能希望使用更广泛的策略,例如:
Header set Content-Security-Policy "default-src 'none'; script-src 'self' 'unsafe-inline'; connect-src 'self'; img-src 'self'; style-src 'self' 'unsafe-inline';"
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.