[英]CSP, Refused to load the script, violates the following Content Security Policy directive: "script-src 'self'"
Can someone explain me how can i add CSP meta tag to my header?有人可以向我解释如何将 CSP 元标记添加到我的 header 吗? i tried adding different meta tag to my header but i get more error from CSP我尝试向我的 header 添加不同的元标记,但我从 CSP 收到更多错误
<meta http-equiv="Content-Security-Policy" content="default-src 'self' https:*//api.mapbox.com/mapbox-gl-js/v2.3.1/mapbox-gl.js;">
<meta http-equiv="Content-Security-Policy" content="default-src 'self' data:gap 'unsafe-eval' ws: ; style-src 'self' 'unsafe-inline' script-src *; media-src *; font-src *; connect-src *; img-src 'self' data: content:;">
It looks like you already have a published CSP via an HTTP header because a console error saying:看起来您已经通过 HTTP header 发布了 CSP,因为控制台错误提示:
it violates the following Content Security Policy directive " default-src 'self' "它违反了以下内容安全策略指令“ default-src 'self' ”
while your meta tag contains other default-src
sources: default-src 'self' https:*//api.mapbox.com/mapbox-gl-js/v2.3.1/mapbox-gl.js而您的元标记包含其他default-src
来源: default-src 'self' https:*//api.mapbox.com/mapbox-gl-js/v2.3.1/mapbox-gl.js
You can check the CSP response HTTP header that you have, the tutorial is here .您可以查看您拥有的 CSP 响应 HTTP header,教程在这里。
In this case by adding meta tag you'll have 2 CSPs which will work independently each other, therefore CSP in HTTP header will continue to block your scripts.在这种情况下,通过添加元标记,您将拥有 2 个相互独立工作的 CSP,因此 HTTP header 中的 CSP 将继续阻止您的脚本。
Node.js has a Helmet middleware in dependancies, Helmet 4 automatically publishes a default CSP via HTTP header. Check it. Node.js 在依赖项中有一个 Helmet 中间件, Helmet 4通过 HTTP header 自动发布默认 CSP。检查它。
In this case you have 2 opts:在这种情况下,您有 2 个选择:
app.use( helmet({ contentSecurityPolicy: false, }) );
禁用 Helmet 的 CSP: app.use( helmet({ contentSecurityPolicy: false, }) );
and use a meta tag.并使用元标记。BTW you have errors in the:顺便说一句,您在以下方面有错误:
default-src 'self' data:gap 'unsafe-eval' ws: ; style-src 'self' 'unsafe-inline' script-src *; media-src *; font-src *; connect-src *; img-src 'self' data: content:;
data:gap
is a wrong source, use data:
or data: gap:
depending on what you need. data:gap
是一个错误的来源,使用data:
或data: gap:
取决于你需要什么。;
错过了;
before script-src
在script-src
之前
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.