播放框架-内容安全策略设置不起作用? [英] Play framework - Content Security Policy setting doesn't work?
问题描述
我使用sbt来构建一个scala-seed种子项目,并添加一个简单的内容:
I use sbt to build a play-scala-seed project, and add a simple:
<button id="doclick" onclick="doConsole();">click</button>
但是当我启动项目并单击按钮时.控制台显示错误输出:
But when I start the project and click the button. Console gives the error output:
localhost/:17被拒绝执行内联事件处理程序,因为它违反了以下内容安全策略指令:"default-src *".要启用内联执行,需要使用'unsafe-inline'关键字,哈希('sha256 -...')或随机数('nonce -...').另请注意,未明确设置"script-src",因此将"default-src"用作后备.
localhost/:17 Refused to execute inline event handler because it violates the following Content Security Policy directive: "default-src *". Either the 'unsafe-inline' keyword, a hash ('sha256-...'), or a nonce ('nonce-...') is required to enable inline execution. Note also that 'script-src' was not explicitly set, so 'default-src' is used as a fallback.
application.conf
application.conf
play.http.filters = "filter.Filters"
play.filters.headers.contentSecurityPolicy="script-src 'self' 'unsafe-inline'"
只需遵循官方文档 play-securityheaders
我是否错过了某些东西或路径错误,导致仍然无法调用内联脚本?
Did I miss something or get the wrong path cause still can not call inline script?
推荐答案
我遇到了同样的问题,并在经过2个小时的摆弄后找到了解决方案.
I had same problem and found the solution after 2 hours of fiddling with it.
我正在使用编译时依赖注入,并将应用程序mixin从HttpFiltersComponents
更改为NoHttpFiltersComponents
,从而解决了该问题.
I am using compile-time dependency injection and I changed the application mixin from HttpFiltersComponents
to NoHttpFiltersComponents
, which solved the problem.
这篇关于播放框架-内容安全策略设置不起作用?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!