stackoom
  简体   繁体   中英

Content Security Policy violation on external Js Script

 原文  2022-09-27 12:27:21       javascript/ c#/ content-security-policy

Question

sorry for bad description. I have an app that works fine on localhost and test server. On the machine that has connection to test server when I try to access the app via server's IP and port I can access the app too. But with a rerouting that points to my apps test server IP and port I get below 2 errors in a script that I use from a different host. Test server doesn't has outside connection allowed but related script host has been allowed. I have tried adding CSP headers to ISS but it didn't work. How can I resolve this issue or how can I get more details about it. Any help would appreciated. Thank you.

1st error:

Refused to create a worker from 'blob: https://redirecteddomain.com/04891805-36bb-45f7-a4e9-7cb58f25a3bf' because it violates the following Content Security Policy directive: "default-src https: data: 'unsafe-inline' 'unsafe-eval'". Note that 'worker-src' was not explicitly set, so 'default-src' is used as a fallback.

2nd error:

Uncaught DOMException: Failed to construct 'Worker': Access to the script at 'blob: https://redirecteddomain.com/04891805-36bb-45f7-a4e9-7cb58f25a3bf' is denied by the document's Content Security Policy.

Script that got the error:

<script src="https://scriptsource.com/script.php?lang=en"></script>

Due to privacy issues domain names are replaced.

Update: So I have tried to download and use the script locally and there were couple of API calls in the javascript file and it gave the same error again.

Update-2: I have checked through the script file and found the lines that are causing the issue, I have added "default-src 'self' 'unsafe-inline'; worker-src blob:;" meta header but still get the same error

const e=window.URL||window.webkitURL,n=new 
Blob(['importScripts("'+Dt.faceworker+"?v="+t.replace(/\./g,"")+'");'], 
{type:"application/javascript"}),o=e.createObjectURL(n);
Wt=new Worker(o)

1 answers

solution1
 1 ACCPTED  2022-09-29 18:46:50

The CSP on your page doesn't allow "blob:". Adding another CSP in a meta tag can only impose restrictions, it can't change the other CSP that is likely there and served in a response header. You will likely need to modify the original CSP adding blob: to default-src or worker-src.

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question Content Security Policy directive: "script-src 'none' Violation Error Content Security Policy violation onmouseout Violation of Content Security Policy directive It is possible to override/remove page Content Security Policy through the external script? Catch Content Security Policy directive violation Content security policy including a script Local jquery.js file causing Content Security Policy (CSP) violation errors Content-Security-Policy and external Javascript file Modernizr Causes Content Security Policy (CSP) Violation Errors Refused to connect to URL because of violation of Content Security Policy
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM