即使添加了"unsafe-eval",对CSP阻止的function()的调用 [英] Call to function() blocked by CSP even after adding 'unsafe-eval'
问题描述
我正在处理NodeJS项目,并且正在使用 CSP
(内容安全政策).
I am working on a NodeJS Project and I'm using CSP
(Content Security Policy).
我正在使用外部插件 FullCalendar
,该插件已被csp阻止,并显示以下错误:
I'm using a external plugin FullCalendar
which is being blocked by csp giving the following error:
错误:对Function()的调用被CSP阻止
我使用 script-src'self''unsafe-eval';
覆盖它,但在Firefox中不起作用.在其他浏览器中,它运行正常.
I use script-src 'self' 'unsafe-eval';
to override it but did not work in firefox. In other browser it is working fine.
我在这个问题上停留了4小时.
I got stuck on this issue by 4h.
获得解决方案将很有帮助.
It would be helpful to get the solution.
我在CSP限制中使用以下格式.
I am using the following format in CSP restrictions.
X-Content-Security-Policy:default-src *;script-src'self''unsafe-eval';object-src'none';style-src'self''unsafe-inline img-src *; options eval-script;
X-WebKit-CSP:default-src *;script-src'self''unsafe-eval';object-src'none';style-src'self''unsafe-inline img-src *;
内容安全策略:default-src *;script-src'self''unsafe-eval';object-src'none';style-src'self''unsafe-inline img-src *;
X-Content-Security-Policy: default-src *; script-src 'self' 'unsafe-eval'; object-src 'none'; style-src 'self' 'unsafe-inline img-src *;options eval-script;
X-WebKit-CSP: default-src *; script-src 'self' 'unsafe-eval'; object-src 'none'; style-src 'self' 'unsafe-inline img-src *;
Content-Security-Policy: default-src *; script-src 'self' 'unsafe-eval'; object-src 'none'; style-src 'self' 'unsafe-inline img-src *;
推荐答案
我在Internet上找到的最简单方法.将Meta标记嵌入到index.html文件中:
The Simplest way I found on the Internet. Embed Meta tag in your index.html file:
<meta http-equiv="Content-Security-Policy"
content="
default-src *
style-src * 'unsafe-inline'
script-src *
img-src * data:
'unsafe-eval'
" />
这将允许渲染和使用来自其他来源或平台的图元文件,例如图像,JavaScript,CSS.
This will allow to render and use of metafiles like Images, JavaScript, CSS from other source or platform.
这篇关于即使添加了"unsafe-eval",对CSP阻止的function()的调用的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!