Add unpkg to Content Security Policy (CSP)
Question
How can I add specific libraries (ES modules) fetched through Unpkg to my Content Security Policy (CSP) policy - ie without allowing everything from Unpkg?
For example, this is how I add provide one library:
<script
type="module"
src="https://unpkg.com/web-social-share@latest/dist/websocialshare/websocialshare.esm.js"></script>
I tried various solution such as https://unpkg.com/web-social-share@latest/* or https://unpkg.com/web-social-share@* for my script-src policy but all resulted in an error:
Refused to load the script 'https://unpkg.com/web-social-share@latest/dist/websocialshare/websocialshare.esm.js' because it violates the following Content Security Policy directive: "script-src 'self'...
Anything that seems to work is allowing everything from Unpkg which I would like to avoid.
<meta
http-equiv="Content-Security-Policy"
content="default-src 'self';
script-src 'self' https://unpkg.com/;" />
1 answers
solution1
0 2022-03-17 16:09:42
This is available only in CSP level 3: https://www.w3.org/TR/CSP3/#external-hash . But unfortunately you'll still need to support level 2. You can however use Subresource Integrity in most browsers.
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.