CSP style-src SHA256 存在,但浏览器发出警告说它不是
[英]CSP style-src SHA256 present, but browser issues warning that it isn't
问题描述
I've added the following CSP to my nginx configuration:
我已将以下 CSP 添加到我的 nginx 配置中:
add_header Content-Security-Policy "default-src 'none'; script-src 'self'; img-src *.gravatar.com; script-src-elem 'self' 'sha256-HeezHnLPgcw5524/5YMbWWQXJ/fdKZsQX5vG7t1UmJw=' 'sha256-FVzC2JpGNv45prICvPCadmKf+wnLz6Eem3UQaAnTK/4=' 'sha256-Tr3bLHN4KJG2A/qFIDTX+Yb0nG+Z+HS9VAD6k0/r+vY=' 'sha256-NYk7Q8DQLjjJRwkQ9oG2juhRXSdsOjLWMy0IpXWymRc=' 'sha256-pu6oe0vPSMzzITPF3U0Z8qBWhbBKykixk7D9kFsDySY='; script-src-attr 'self'; style-src 'sha256-0EZqoz+oBhx7gF4nvY2bSqoGyy4zLjNF+SDQXGp/ZrY='; style-src-elem 'self' 'sha256-OyKg6OHgnmapAcgq002yGA58wB21FOR7EcTwPWSs54E=' 'sha256-CK/6NyEbsJb3V2Bo26t3s0V3RAi3gTWWrjUNGLIZLfw=' 'sha256-hc4UHa0RDFRaKgh++CLvhy5nf4yco/u+xPDeTrTejhg=';";
My browser (Chrome) issues the following warning:我的浏览器 (Chrome) 发出以下警告:
Refused to apply inline style because it violates the following Content Security Policy directive: "style-src 'self' 'sha256-0EZqoz+oBhx7gF4nvY2bSqoGyy4zLjNF+SDQXGp/ZrY='".
As you can see the hash style-src 'sha256-0EZqoz+oBhx7gF4nvY2bSqoGyy4zLjNF+SDQXGp/ZrY=' is present and set, but the browser is saying there's a still a problem.如您所见,hash style-src 'sha256-0EZqoz+oBhx7gF4nvY2bSqoGyy4zLjNF+SDQXGp/ZrY='存在并设置,但浏览器说仍然存在问题。
I can't work this out.我无法解决这个问题。 Any help?有什么帮助吗?
1 个解决方案
解决方案1
0 2021-12-22 09:37:17
This is answered well here: Refused to execute inline event handler because it violates CSP.这在这里得到了很好的回答: 拒绝执行内联事件处理程序,因为它违反了 CSP。 (SANDBOX) (沙盒)
As user27878850 suggests, you could add 'unsafe-hashes', but that would currently only work in Chromium browsers.正如 user27878850 建议的那样,您可以添加“不安全哈希”,但目前只能在 Chromium 浏览器中使用。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.