内容安全策略元标记“不安全内联”不起作用
[英]Content-Security-Policy meta tag 'unsafe-inline' doesn't work
问题描述
I was getting CSS cross-origin policy, in my electron application:
我在我的电子应用程序中获得了 CSS 跨域策略:
Refused to load the stylesheet 'https://fonts.googleapis.com/css2?family=Roboto:wght@400;500;700&display=swap' because it violates the following Content Security Policy directive: "default-src 'self' 'unsafe-inline' data:". Note that 'style-src-elem' was not explicitly set, so 'default-src' is used as a fallback.
Refused to load the font 'https://cdn.scaleflex.it/plugins/filerobot-image-editor/assets/fonts/filerobot-image-editor-font/v5/filerobot-image-editor-font.ttf?ua0hzun3' because it violates the following Content Security Policy directive: "default-src 'self' 'unsafe-inline' data:". Note that 'font-src' was not explicitly set, so 'default-src' is used as a fallback.
Refused to load the font 'https://cdn.scaleflex.it/plugins/filerobot-image-editor/assets/fonts/filerobot-image-editor-font/v5/filerobot-image-editor-font.woff?ua0hzun3' because it violates the following Content Security Policy directive: "default-src 'self' 'unsafe-inline' data:". Note that 'font-src' was not explicitly set, so 'default-src' is used as a fallback.
So I tried something like this:所以我尝试了这样的事情:
<meta http-equiv="Content-Security-Policy"
content="
default-src 'self' https://cdn.scaleflex.it https://fonts.googleapis.com 'unsafe-eval' 'unsafe-inline';
style-src 'self' https://cdn.scaleflex.it https://fonts.googleapis.com 'unsafe-eval' 'unsafe-inline';
style-src-elem 'self' https://cdn.scaleflex.it https://fonts.googleapis.com 'unsafe-eval' 'unsafe-inline';
font-src 'self' https://cdn.scaleflex.it https://fonts.googleapis.com 'unsafe-eval' 'unsafe-inline';
"
/>
But it is giving me something like:但它给了我类似的东西:
Refused to load the stylesheet 'https://fonts.googleapis.com/css2?family=Roboto:wght@400;500;700&display=swap' because it violates the following Content Security Policy directive: "default-src 'self' 'unsafe-inline' data:". Note that 'style-src-elem' was not explicitly set, so 'default-src' is used as a fallback.
Refused to load the stylesheet 'https://fonts.googleapis.com/css2?family=Roboto:wght@400;500;700&display=swap' because it violates the following Content Security Policy directive: "default-src 'self' 'unsafe-inline' data:". Note that 'style-src-elem' was not explicitly set, so 'default-src' is used as a fallback.
Refused to load the font 'https://cdn.scaleflex.it/plugins/filerobot-image-editor/assets/fonts/filerobot-image-editor-font/v5/filerobot-image-editor-font.ttf?ua0hzun3' because it violates the following Content Security Policy directive: "default-src 'self' 'unsafe-inline' data:". Note that 'font-src' was not explicitly set, so 'default-src' is used as a fallback.
Refused to load the font 'https://cdn.scaleflex.it/plugins/filerobot-image-editor/assets/fonts/filerobot-image-editor-font/v5/filerobot-image-editor-font.woff?ua0hzun3' because it violates the following Content Security Policy directive: "default-src 'self' 'unsafe-inline' data:". Note that 'font-src' was not explicitly set, so 'default-src' is used as a fallback.
But according to most of the answers, this work.但根据大多数答案,这项工作。 Like: ans1 , ans2 .像: ans1 , ans2 。
1 个解决方案
解决方案1
0 2021-11-13 14:47:05
Key point is in:关键在于:
- because it violates the following Content Security Policy directive: " default-src 'self' 'unsafe-inline' data: "因为它违反了以下内容安全策略指令:“ default-src 'self' 'unsafe-inline' data: ”
- Note that ' font-src ' was not explicitly set / Note that ' style-src-elem ' was not explicitly set请注意,“ font-src ”未明确设置/请注意,“ style-src-elem ”未明确设置
while you have font-src and style-src / style-src-elem directives in the meta tag.当您在元标记中有font-src和style-src / style-src-elem指令时。
This means that it is not a CSP of your meta tag does blocking, but some other CSP.这意味着它不是您的元标记的 CSP 阻止,而是其他一些 CSP。 In case of several CSP's are published, all sources should pass all CSPs to be allowed.如果发布了多个 CSP,则所有来源都应通过所有 CSP 才能被允许。
Check do you use electron-forge/plugin-webpack plugin (or something similar) - these can add a meta tag with their own default CSP.检查您是否使用electron-forge/plugin-webpack插件(或类似的东西) - 这些可以使用自己的默认 CSP 添加元标记。 In this case you'll see 2 <meta http-equiv="Content-Security-Policy"... meta tags in the HTML code.在这种情况下,您将在 HTML 代码中看到 2 个<meta http-equiv="Content-Security-Policy"...元标记。
Also Electron in Dev mode can publish a CSP via HTTP header, you can check it or search your project for code like this:此外,开发模式下的 Electron 可以通过 HTTP 标头发布 CSP,您可以检查它或在您的项目中搜索如下代码:
session.defaultSession.webRequest.onHeadersReceived((details, callback) => {
callback({ responseHeaders: Object.assign({
...details.responseHeaders,
"Content-Security-Policy": [ "default-src 'self'" ]
}, details.responseHeaders)});
});
In any case, you need to make changes to the CSP that is already being published, and not add a new one.在任何情况下,您都需要对已发布的 CSP 进行更改,而不是添加新的 CSP。
Note that:注意:
-
'unsafe-eval'token is not supported in thestyle-src-elemdirective.style-src-elem指令中不支持'unsafe-eval'标记。 -
'unsafe-eval'and'unsafe-inline'tokens are not supported in thefont-srcdirective.font-src指令不支持'unsafe-eval'和'unsafe-inline'标记。 You can remove these.您可以删除这些。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.