使用Google地图API的CSP不安全评估 [英] CSP unsafe-eval using Google Maps API
问题描述
在尝试使用Google地图的API时,出现 script-src
'unsafe-eval'
p>
< script src =https://maps.googleapis.com/maps/api/js?v=3.exp&sensor=false >< / script>
以下是控制台错误:
未捕获的EvalError:拒绝将字符串评估为JavaScript,因为'unsafe-eval'不是下列内容安全策略指令中允许的脚本源:script-src'self''*。 gstatic.com * .googleapis.com * .google-analytics.com * .google.com。
你会认为Google的库中不会有任何不安全的eval触发器。 Incase可能是我的身边,我的代码如下:
js
function initialize(){
//创建地图。
var mapOptions = {
zoom:4,
center:new google.maps.LatLng(37.09024,-95.712891),
mapTypeId:google.maps.MapTypeId .ROADMAP,
zoomControl:true,
streetViewControl:false
};
var map = new google.maps.Map(document.getElementById('map-canvas'),
mapOptions);
google.maps.event.addListener(map,click,function(e){
var marker = new google.maps.Marker({
draggable:true,
raiseOnDrag:false,
map:map,
position:e.latLng
});
var radius = Math.pow (2,(20-map.getZoom()))* 3;
if(radius <100){
radius = 100;
}
var circle = new google.maps.Circle({
map:map,
editable:true,
radius:radius,
fillColor:'#0159e5',
strokeColor :'#0159e5',
strokeWeight:1,
geodesic:true
});
circle.bindTo('center',marker,'position') ;
google.maps.event.addListener(circle,'radius_changed',function(){
if(circle.getRadius()<100){
circle.setRadius(100);
}
});
//设置表单域
document.getElementById(geo-fence-lat)。value = marker.getPosition()。lat();
document.getElementById(geo-fence-long)。value = marker.getPosition()。lng();
document.getElementById(geo-fence-radius)。value = Math.ceil(radius / 100)* 100;
google.maps.event.clearListeners(地图,点击);
addListeners(circle);
});
$ b
GMaps替代品的任何修正或想法都会不胜感激。
编辑:
这些是Chrome中的违规行。在maps.gstatic.com maps-api-v3 / api / js / 21/2 / main.js中找到。
Kh.main =函数(a){
eval(a)
};
fg(main,{});
函数ql(a){
return O(eval,k,window。+ a +())
}
看起来像主要固定在 Google地图3.23 - 请参阅 issue 4201
code> eval 在里面
blocks(请参阅:相关的修补程序) eval('document.namespaces')
> try
Getting script-src
'unsafe-eval'
error when trying to use Google Maps' API.
<script src="https://maps.googleapis.com/maps/api/js?v=3.exp&sensor=false"></script>
Here's the console error:
Uncaught EvalError: Refused to evaluate a string as JavaScript because 'unsafe-eval' is not an allowed source of script in the following Content Security Policy directive: "script-src 'self' ' *.gstatic.com *.googleapis.com *.google-analytics.com *.google.com".
You would think Google wouldn't have any unsafe-eval triggers in their libraries. Incase it could be my side my code is below:
js
function initialize() {
// Create the map.
var mapOptions = {
zoom: 4,
center: new google.maps.LatLng(37.09024, -95.712891),
mapTypeId: google.maps.MapTypeId.ROADMAP,
zoomControl: true,
streetViewControl: false
};
var map = new google.maps.Map(document.getElementById('map-canvas'),
mapOptions);
google.maps.event.addListener(map, "click", function (e) {
var marker = new google.maps.Marker({
draggable: true,
raiseOnDrag: false,
map: map,
position: e.latLng
});
var radius = Math.pow(2, (20 - map.getZoom())) * 3;
if (radius < 100) {
radius = 100;
}
var circle = new google.maps.Circle({
map: map,
editable: true,
radius: radius,
fillColor: '#0159e5',
strokeColor: '#0159e5',
strokeWeight: 1,
geodesic: true
});
circle.bindTo('center', marker, 'position');
google.maps.event.addListener(circle, 'radius_changed', function() {
if (circle.getRadius() < 100){
circle.setRadius(100);
}
});
//Set form fields
document.getElementById("geo-fence-lat").value = marker.getPosition().lat();
document.getElementById("geo-fence-long").value = marker.getPosition().lng();
document.getElementById("geo-fence-radius").value = Math.ceil(radius/100)*100;
google.maps.event.clearListeners(map, "click");
addListeners(circle);
});
}
Any fixes or ideas for GMaps alternatives would be appreciated.
Edit: These are the offending lines in Chrome. Found in maps.gstatic.com maps-api-v3/api/js/21/2/main.js.
Kh.main = function(a) {
eval(a)
};
fg("main", {});
function ql(a) {
return O(eval, k, "window." + a + "()")
}
Looks like it's been mostly fixed in Google Maps 3.23 - see issue 4201
There are still some instances of eval
in the code - like eval('document.namespaces')
inside of the try
blocks (see: related Closure fix)
这篇关于使用Google地图API的CSP不安全评估的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!