[英]Refused to evaluate a string as JavaScript because 'unsafe-eval' is not an allowed source of script Content Security Policy directive:default-src self
In my application, I want Content Security Policy: all directives should be set to self, but when I am trying to do that it is showing the following error在我的应用程序中,我想要内容安全策略:所有指令都应设置为自我,但是当我尝试这样做时,它显示以下错误
Uncaught EvalError: Refused to evaluate a string as JavaScript because 'unsafe-eval' is not an allowed source of script in the following Content Security Policy directive: "default-src 'self';".
未捕获的 EvalError:拒绝将字符串评估为 JavaScript,因为“unsafe-eval”不是以下内容安全策略指令中允许的脚本源:“default-src 'self';”。
at Function (<anonymous>)
at Function._init (yui_combo.php?rollup/3.17.2/yui-moodlesimple-min.js:8:3195)
at yui_combo.php?rollup/3.17.2/yui-moodlesimple-min.js:9:4331
at yui_combo.php?rollup/3.17.2/yui-moodlesimple-min.js:9:4558
Refused to execute inline script because it violates the following Content Security Policy directive: "default-src 'self'".
拒绝执行内联脚本,因为它违反了以下内容安全策略指令:“default-src 'self'”。 Either the 'unsafe-inline' keyword, a hash ('sha256-BfUVqxUMiFIZGvtAvlU3O1tTN9idUT5IuAIpMSM2F5g='), or a nonce ('nonce-...') is required to enable inline execution.
启用内联执行需要“不安全内联”关键字、hash(“sha256-BfUVqxUMiFIZGvtAvlU3O1tTN9idUT5IuAIpMSM2F5g=”)或随机数(“nonce-...”)。 Note also that 'script-src' was not explicitly set, so 'default-src' is used as a fallback.
另请注意,未明确设置“script-src”,因此“default-src”用作后备。
Refused to load the stylesheet 'https://fonts.googleapis.com/css?family=Open+Sans:300,300i,400,400i,600,600i,700,700i,800,800i&display=swap' because it violates the following Content Security Policy directive: "default-src 'self'".
拒绝加载样式表“https://fonts.googleapis.com/css?family=Open+Sans:300,300i,400,400i,600,600i,700,700i,800,800i&display=swap”,因为它违反了以下内容安全策略指令:“默认源'自我'”。 Note that 'style-src-elem' was not explicitly set, so 'default-src' is used as a fallback.
请注意,未明确设置“style-src-elem”,因此“default-src”用作后备。
The content security policy must have this directive:内容安全策略必须具有以下指令:
default-src 'self';
script-src 'self' 'unsafe-eval';
style-src 'self' fonts.googleapis.com;
and more.和更多。
If you are using helmet on your Node.JS server, you can configure the following:如果您在 Node.JS 服务器上使用头盔,则可以配置以下内容:
server.use(helmet({
contentSecurityPolicy: false
}));
Or you can configure the following to whitelist a specific domain:或者您可以配置以下内容以将特定域列入白名单:
server.use(
helmet.contentSecurityPolicy({
directives: {
"script-src": ["'self'", "example.com"],
"style-src": null,
},
})
);
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.