Edge忽略内容安全策略中的script-src [英] Edge ignores script-src in Content Security Policy
问题描述
我有以下内容安全政策
value="default-src 'self'
style-src 'self' 'unsafe-inline';
script-src 'self' 'unsafe-inline' 'unsafe-eval' http://svc.webspellchecker.net;
img-src 'self' data: https://s3.amazonaws.com;
frame-src 'self' *.salesforce.com *.force.com;"
这在Chrome和Firefox中正常运行.在Edge中,它没有运行,因为我们有一些内联脚本(即onClick="foo()
).
This works fine in Chrome and Firefox. In Edge it is not running because we have some inline scripts (ie onClick="foo()
).
我的理解是default-src
设置默认值,而script-src
应该覆盖这些默认值.
My understanding is the the default-src
sets the defaults and the script-src
should override those defaults.
有人知道这是否是Edge中的错误,还是我以某种方式对其进行了破坏?
Does anyone know if this is a bug in Edge, or if I've botched it in some way?
推荐答案
原来的问题是,尽管这就是我们的CSP在web.test.config中的显示方式,但该转换将以下内容放入了web.config
Turns out the problem was that though that is the way our CSP looks in our web.test.config, the transform puts the following into the web.config
value="default-src 'self'
 style-src 'self' 'unsafe-inline'; 

script-src 'self' 'unsafe-inline' 'unsafe-eval' http://svc.webspellchecker.net; 
 img-src 'self' data: https://s3.amazonaws.com;
 frame-src 'self' *.salesforce.com *.force.com;"
基本上,XDT会用 替换值中的CRLF,这会导致Edge放弃处理CSP的操作,因此只获得第一行.
Basically the XDT replaces the CRLFs in the value with , which causes Edge to give up on processing the CSP so you only get the first line.
这篇关于Edge忽略内容安全策略中的script-src的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!