堆栈内存溢出
  简体   繁体   English

如何在 CSP 中使用“default-src 'none'”时使用 Jquery AJAX 加载页面

[英]How do I load page using Jquery AJAX while using 'default-src 'none'' in CSP

 原文  2020-12-27 08:33:56       javascript/ jquery/ content-security-policy

问题描述

How can I load a page in a DIV using jquery with the default-src 'none' ?如何使用 jquery 和default-src 'none'在 DIV 中加载页面?

I have checked my website using https://observatory.mozilla.org But I have one problem:我已经使用https://observatory.mozilla.org检查了我的网站,但我有一个问题:

It says that I should have default-src to 'none' , but my site contains jQuery which loads a page inside Div, and reloads it every 5 seconds (a chat system).它说我应该将default-src设置为'none' ,但我的网站包含 jQuery ,它在 Div 中加载一个页面,并每 5 秒重新加载一次(聊天系统)。

The JS code is: JS代码是:

function loadlink(){
    let loadURL = "/contact_live_chat/chat_display.html";
    let loadCallback = function(){
      $("#messages").scrollTop($('#messages').prop("scrollHeight"));
    }
    $('#messages').load(loadURL, loadCallback);
}

$(document).ready(function(){
  $('#submit').click(function(e) {
      e.preventDefault();
      $.ajax({
        type: 'POST',
        url: '/contact_live_chat/chat_display.html?sendmessage=1',
        data: {content: $('#contentofmessage').val()},
        success: loadlink
      });
        $('#contentofmessage').val('');
  });

  loadlink(); // This will run on page load

  setInterval(function () {
            var scrollTarget = $('#messages');
            var pos = scrollTarget.scrollTop();
            scrollTarget.load('/contact_live_chat/chat_display.html', function() {
                $('#messages').scrollTop(pos);
                });
  },5000);
})

But I get this error in the browser:但我在浏览器中收到此错误:

Content Security Policy: The page's settings blocked the loading of a resource at https://www.example.com/contact_live_chat/chat_display.html (“default-src”).内容安全策略:页面设置阻止加载https://www.example.com/contact_live_chat/chat_display.html (“default-src”)的资源。

Is there any other directive other than default-src which can help with this?除了 default-src 之外,还有其他指令可以帮助解决这个问题吗?

CSP is: CSP 是:

Header always set Content-Security-Policy "default-src 'none'; img-src data: https: 'self'; script-src 'self'; object-src 'none'; frame-ancestors 'none'; style-src 'self'; base-uri 'none'; form-action 'self'; media-src https: 'self'; frame-src 'none'; child-src 'none'"

1 个解决方案

解决方案1
 -1 已采纳  2020-12-27 08:54:21

How can I load a page in a DIV using jquery with the default-src 'none' ?如何使用 jquery 和default-src 'none'在 DIV 中加载页面?

I have checked my website using https://observatory.mozilla.org But I have one problem:我已经使用https://observatory.mozilla.org检查了我的网站,但我有一个问题:

It says that I should have default-src to 'none' , but my site contains jQuery which loads a page inside Div, and reloads it every 5 seconds (a chat system).它说我应该将default-src设置为'none' ,但我的网站包含 jQuery ,它在 Div 中加载一个页面,并每 5 秒重新加载一次(聊天系统)。

The JS code is: JS代码是:

function loadlink(){
    let loadURL = "/contact_live_chat/chat_display.html";
    let loadCallback = function(){
      $("#messages").scrollTop($('#messages').prop("scrollHeight"));
    }
    $('#messages').load(loadURL, loadCallback);
}

$(document).ready(function(){
  $('#submit').click(function(e) {
      e.preventDefault();
      $.ajax({
        type: 'POST',
        url: '/contact_live_chat/chat_display.html?sendmessage=1',
        data: {content: $('#contentofmessage').val()},
        success: loadlink
      });
        $('#contentofmessage').val('');
  });

  loadlink(); // This will run on page load

  setInterval(function () {
            var scrollTarget = $('#messages');
            var pos = scrollTarget.scrollTop();
            scrollTarget.load('/contact_live_chat/chat_display.html', function() {
                $('#messages').scrollTop(pos);
                });
  },5000);
})

But I get this error in the browser:但我在浏览器中收到此错误:

Content Security Policy: The page's settings blocked the loading of a resource at https://www.example.com/contact_live_chat/chat_display.html (“default-src”).内容安全策略:页面设置阻止加载https://www.example.com/contact_live_chat/chat_display.html (“default-src”)的资源。

Is there any other directive other than default-src which can help with this?除了 default-src 之外,还有其他指令可以帮助解决这个问题吗?

CSP is: CSP 是:

Header always set Content-Security-Policy "default-src 'none'; img-src data: https: 'self'; script-src 'self'; object-src 'none'; frame-ancestors 'none'; style-src 'self'; base-uri 'none'; form-action 'self'; media-src https: 'self'; frame-src 'none'; child-src 'none'"

暂无
暂无

声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.

相关问题 当 CSP 无法从 default-src:'none' 更改时,是否可以进行 REST 调用? - Is it possible to make REST calls when the CSP cannot be changed from default-src: 'none'? 如何使用 jQuery/AJAX 在 HTML div 内加载 html 页面内容? - How do I load html page content inside of an HTML div using jQuery/AJAX? 在使用jquery-pjax时,如何强制一个链接完成整页加载 - While using jquery-pjax how can I force one link to do full page load 如何避免“内容安全策略:页面设置阻止加载内联资源(“default-src”)”? - How to avoid "Content Security Policy: The settings of the page blocked the loading of a resource inline ("default-src")"? 如何使用jquery / ajax加载同一页面? - How to load same page using jquery / ajax? 拒绝加载字体 '<url> ' 因为它违反了以下内容安全策略指令 default-src,所以使用 default-src 作为后备</url> - Refused to load the font '<URL>' because it violates the following Content Security Policy directive default-src ,so default-src is used as a fallback 如何使用javascript / jQuery / ajax打印不同的页面? - How do I print different page using javascript/jQuery/ajax? 如何使用jquery ajax将ReactJs加载到其他页面中 - How to load page contain ReactJs into other page using jquery ajax 如何使用jQuery设置页面加载的默认标签? - How to set default tab on page load using jquery? 如果用户未使用Jquery AJAX登录,如何加载内部日志记录页面 - How load an internal logging page if user not logged in Using Jquery AJAX
相关标签
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM