为什么我的内容安全策略在Safari以外的所有地方都有效 [英] Why does my Content Security Policy work everywhere but Safari
问题描述
我将我的安全策略定义为:
I have defined my security policy as:
default-src 'self'; script-src 'self'; frame-src 'self'; style-src 'self' 'unsafe-inline';
(我仍然在几页的顶部放CSS)。
(I still have CSS at the head of several pages).
我在Firefox或Chrome上没有问题(IE尚不支持CSP),但是,当我尝试在Safari中进行测试时,出现了一系列错误,例如:
I have no trouble with Firefox or Chrome (IE doesn't support CSP yet) but, when I try testing in Safari, I get a string of errors like:
Refused to load style from 'http://localhost/styles/alliance.css' because of Content-Security-Policy.
.
.
.
Refused to load image from 'http://localhost/images/Landing1.jpg' because of Content-Security-Policy.
.
.
.
Refused to load script from 'http://localhost/JQuery/jquery-1.7.2.min.js' because of Content-Security-Policy.
图像应包含在default-src中,其他两个列为 Self,因此我不知道为什么Safari不接受我的图像和脚本。我没有Mac,因此我在Windows(5.1.7)上使用Safari。
The images should be covered by default-src and the other two are listed as "Self" so I don't know why Safari is not accepting my images and scripts. I do not have a Mac so I am using Safari on Windows (5.1.7).
有什么想法吗?谢谢!
推荐答案
Safari 5在实现CSP方面有些落后。 Safari 6更好,但我认为它不是针对Windows发布的。我认为您只是看到实施错误。如果Windows可以使用WebKit夜间服务,那么这可能是测试的不错选择。
Safari 5 is a bit behind in its implementation of CSP. Safari 6 is much better, but I don't think its been released for Windows. I think you're simply seeing implementation bugs. If WebKit nightlies are available for Windows, that might be a good alternative for testing.
不过,老实说,我不建议将 X-WebKit-CSP
标头提供给Safari5。Safari 6,是的,但5确实不能使用。
Honestly, though, I wouldn't recommend serving the X-WebKit-CSP
header to Safari 5. Safari 6, yes, but 5 is a bit too broken to really use.
还请注意,您可以简化策略。 script-src
和 frame-src
都将退回到 default-src
。 default-src'self'; style-src‘self’‘unsafe-inline’
应该具有相同的效果。
Note also that you can simplify your policy. Both script-src
and frame-src
will fall back to default-src
. default-src 'self'; style-src 'self' 'unsafe-inline'
should have the same effect.
这篇关于为什么我的内容安全策略在Safari以外的所有地方都有效的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!