内容安全策略块 Vue.js
[英]Content-Security-Policy blocks Vue.js
问题描述
I am serving a HTML page in my node.js server with express.public() function.
我正在使用 express.public() function 在我的 node.js 服务器中提供 HTML 页面。
and i added this into my html page:我将此添加到我的 html 页面中:
<script src="https://cdn.jsdelivr.net/npm/vue@2/dist/vue.js"></script>
And Chrome gaves me a Content-Security-Policy to me. Chrome 给了我一个 Content-Security-Policy 给我。
I used this middlewares in my Node index.js我在我的节点 index.js 中使用了这个中间件
app.use(morgan('tiny'));
app.use(helmet());
app.use(cors());
app.use(express.json());
app.use(express.static("./public"));
My application headers:我的应用程序标题:
Content-Security-Policy: default-src 'self';base-uri 'self';block-all-mixed-content;font-src 'self' https: data:;frame-ancestors 'self';img-src 'self' data:;object-src 'none';script-src 'self';script-src-attr 'none';style-src 'self' https: 'unsafe-inline';upgrade-insecure-requests
How can i add this script without any SecurityPolicy如何在没有任何 SecurityPolicy 的情况下添加此脚本
SOLVED解决了
I remove "Helmet" from my project.我从我的项目中删除了“头盔”。 Helmet is blocking the all cdn and scripts other then absolute domain. Helmet 阻止了除绝对域之外的所有 cdn 和脚本。
2 个解决方案
解决方案1
0 已采纳 2021-01-08 01:12:47
Content Security Policy is set in the html file being served or by the software serving the html (eg Nginx, Apache).内容安全策略在 html 文件中设置,或者由服务于 html 的软件(例如 Nginx,Apache)设置。
At the moment you have: default-src 'self', this means you are telling the browser that it is only able to make requests to its own domain.目前你有:default-src 'self',这意味着你告诉浏览器它只能向自己的域发出请求。
You need to add https://cdn.jsdelivr.net/npm/vue@2/dist/vue.js to this list of domains it can access.您需要将https://cdn.jsdelivr.net/npm/vue@2/dist/vue.js添加到它可以访问的域列表中。
That would be something like:那将是这样的:
Content-Security-Policy: default-src 'self';script-src 'self' https://cdn.jsdelivr.net/npm/vue@2/dist/vue.js; base-uri 'self';block-all-mixed-content;font-src 'self' https: data:;frame-ancestors 'self';img-src 'self' data:;object-src 'none';script-src-attr 'none';style-src 'self' https: 'unsafe-inline';upgrade-insecure-requests
So default-src: self sets the default to restrict requests to only your own domain.所以 default-src: self 将默认设置为将请求限制在您自己的域中。
script-src 'self' https://cdn.jsdelivr.net/npm/vue@2/dist/vue.js overrides this and says specifically for scripts restricts request to only your domain and that url. script-src 'self' https://cdn.jsdelivr.net/npm/vue@2/dist/vue.js覆盖了这一点,并专门针对脚本将请求限制在您的域和 url 中。
This has lots of details and examples: https://content-security-policy.com这有很多细节和例子: https://content-security-policy.com
解决方案2
0 2021-01-08 08:05:38
In addition to what silent-tiger said, I think you should first find out which middleware is responsible for adding this content policy.除了silent-tiger说的,我觉得你应该先搞清楚是哪个中间件负责添加这个内容策略。 Do this by disabling all middleware (except express static) and then add the other middlewares one by one until you see the Content Secutity Policy headers again.为此,请禁用所有中间件(除了 express static),然后逐个添加其他中间件,直到您再次看到内容安全策略标头。
If you found which middleware is responsible, then you know which middleware you should configure.如果您找到了哪个中间件负责,那么您就知道应该配置哪个中间件。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.