拒绝执行内联脚本,因为它违反了以下内容安全策略指令:“script-src'self'” [英] Refused to execute inline script because it violates the following Content Security Policy directive: "script-src 'self'"
本文介绍了拒绝执行内联脚本,因为它违反了以下内容安全策略指令:“script-src'self'”的处理方法,对大家解决问题具有一定的参考价值,需要的朋友们下面随着小编来一起学习吧!
问题描述
我为Rss阅读器创建了一个Chrome扩展,在那个即时通讯中得到了上述错误请帮助
manifest.json $ b
{
name:Tutorialzine Extension,
manifest_version:2,
version:1.1,
description:制作您的第一个Google Chrome扩展程序。,
图标:{
128:icon_128.png
},
web_accessible_resources:[script.js,https ://query.yahooapis.com],
browser_action:{
default_icon:icon.png,
default_popup:tutorialzine.html
,
permissions:[tabs,< all_urls,http:// localhost /,
http:// * / *,https:// * / *,https://query.yahooapis.com],
content_security_policy:script-src'self';'https://query.yahooapis.com'; unsafe-inline; object-src'self'
}
script.js
$(document).ready(function(){
va r query =SELECT * FROM feed WHERE url ='http://feeds.feedburner.com/Tutorialzine'LIMIT 2;
//存储自现在开始的秒数:
var now =(new Date())。getTime()/ 1000;
//如果localStorage中没有设置缓存,或者缓存大于1小时:
if(!localStorage.cache || now - parseInt(localStorage.time)> 1 * 60 * 60){
$ .get(yahoo.js,function(msg){
// msg.query.results.item是一个数组:
var items = msg.query.results.item;
var htmlString =;
for(var i = 0; i< items.length; i ++){
var tut = items [i];
//从永久链接提取帖子ID:
var id = tut.guid.content.match(/(\ d +)$ / )[0];
//循环并生成教程标记:
htmlString + ='< div class =tutorial> \
< img src =http://tutorialzine.com/img/posts/'+ id +'.jpg/> \
< h2>'+ tut.title +'< / h2> \
< p> + tut.description +'< / p> \
< a href ='+ tut.link +'target =_ blank>阅读更多内容< / a> \\ \\
< / div>';
}
//设置缓存
localStorage.cache = htmlString;
localStorage.time = now;
//更新内容div:
$('#content')。html(htmlString);
},'json');
} else {
//缓存是新鲜的,使用它:
$('#content')。html(localStorage.cache);
jquery.min.js错误:
Jquery.min.js包含内联脚本执行操作
parentNode:d .removeChild(d.appendChild(s.createElement( DIV)))parentNode ===空,deleteExpando:真,checkClone:假,scriptEval:假,noCloneEvent:真,boxModel:空}; b.type =文本/ JavaScript的 ;尝试{b.appendChild(s.createTextNode( 窗口 + F += 1;))}赶上(I){} a.insertBefore(b,a.firstChild);如果(A [ f)){c.support.scriptEval = true; delete A [f]} try {delete b.test} catch(o){c.support.deleteExpando = false} a.removeChild(b); if(d.attachEvent& amp; amp; ;& d.fireEvent){d.attachEvent(onclick,function k(){c.support.noCloneEvent =
<在使用LinkedIn oAuth API时,我也遇到了这种类型的问题。
我使用linkedIn API以下设置为cordova
config.xml
< access origin =*launc H-外部= 是/>
< allow-navigation href =*/>
元标记
< meta http-equiv =Content-Security-Policycontent =default-src *; style-src'self''unsafe-inline'; script-src 'self''unsafe-inline''unsafe-eval'>
脚本
< script type =text / javascriptsrc =http://platform.linkedin.com/in.js>< / script>
当我在模拟器上运行应用程序时,它给出
修正了将uri添加到元标记中的问题 http://platform.linkedin.com like
< meta http-equiv =Content-Security-Policycontent =default-src *; style-src'self''unsafe-inline'; script-src'self''unsafe-inline''unsafe -eval'http://platform.linkedin.com>
Im creating a chrome extension for Rss reader in that im getting the above error. please help
manifest.json
{
"name": "Tutorialzine Extension",
"manifest_version": 2,
"version": "1.1",
"description": "Making your first Google Chrome extension.",
"icons": {
"128": "icon_128.png"
},
"web_accessible_resources": ["script.js", "https://query.yahooapis.com"],
"browser_action": {
"default_icon": "icon.png",
"default_popup": "tutorialzine.html"
},
"permissions": ["tabs", "<all_urls", "http://localhost/",
"http://*/*", "https://*/*", "https://query.yahooapis.com"],
"content_security_policy": "script-src 'self'; 'https://query.yahooapis.com';unsafe-inline; object-src 'self'"
}
script.js
$(document).ready(function () {
var query = "SELECT * FROM feed WHERE url='http://feeds.feedburner.com/Tutorialzine' LIMIT 2";
// Storing the seconds since the epoch in now:
var now = (new Date()).getTime() / 1000;
// If there is no cache set in localStorage, or the cache is older than 1 hour:
if (!localStorage.cache || now - parseInt(localStorage.time) > 1 * 60 * 60) {
$.get("yahoo.js", function (msg) {
// msg.query.results.item is an array:
var items = msg.query.results.item;
var htmlString = "";
for (var i = 0; i < items.length; i++) {
var tut = items[i];
// Extracting the post ID from the permalink:
var id = tut.guid.content.match(/(\d+)$/)[0];
// Looping and generating the markup of the tutorials:
htmlString += '<div class="tutorial">\
<img src="http://tutorialzine.com/img/posts/' + id + '.jpg" />\
<h2>' + tut.title + '</h2>\
<p>' + tut.description + '</p>\
<a href="' + tut.link + '" target="_blank">Read more</a>\
</div>';
}
// Setting the cache
localStorage.cache = htmlString;
localStorage.time = now;
// Updating the content div:
$('#content').html(htmlString);
}, 'json');
} else {
// The cache is fresh, use it:
$('#content').html(localStorage.cache);
}
}
Error in jquery.min.js:
Jquery.min.js contains inline script what to do
parentNode:d.removeChild(d.appendChild(s.createElement("div"))).parentNode===null,deleteExpando:true,checkClone:false,scriptEval:false,noCloneEvent:true,boxModel:null};b.type="text/javascript";try{b.appendChild(s.createTextNode("window."+f+"=1;"))}catch(i){}a.insertBefore(b,a.firstChild);if(A[f]){c.support.scriptEval=true;delete A[f]}try{delete b.test}catch(o){c.support.deleteExpando=false}a.removeChild(b);if(d.attachEvent&&d.fireEvent){d.attachEvent("onclick",function k(){c.support.noCloneEvent=
解决方案
I also faced such type of problem when working with LinkedIn oAuth API.
I was using linkedIn API with following settings for cordova
config.xml
<access origin="*" launch-external="yes"/>
<allow-navigation href="*" />
Meta Tag was
<meta http-equiv="Content-Security-Policy" content="default-src *; style-src 'self' 'unsafe-inline'; script-src 'self' 'unsafe-inline' 'unsafe-eval'">
Script
<script type="text/javascript" src="http://platform.linkedin.com/in.js"></script>
When i run the application on emulator its giving
Fixed Problem to add uri into meta tag http://platform.linkedin.com like
<meta http-equiv="Content-Security-Policy" content="default-src *; style-src 'self' 'unsafe-inline'; script-src 'self' 'unsafe-inline' 'unsafe-eval' http://platform.linkedin.com ">
这篇关于拒绝执行内联脚本,因为它违反了以下内容安全策略指令:“script-src'self'”的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
查看全文
