内容安全策略包括脚本 [英] Content security policy including a script
问题描述
我需要包含此脚本 https://apis.google.com/js/ api:client.js 在我的网站上。在谷歌浏览器上它工作正常,但在 Firefox (显然IE)我收到一些错误:
内容安全策略:在script-src中忽略'unsafe-inline':指定'strict-dynamic'
内容安全策略:忽略https:在script-src中:'strict-dynamic'指定
内容安全策略:忽略script-src中的http::'strict-dynamic'指定
我尝试更改元标记中的内容安全策略标题,但它不起作用。
我尝试了所有这些:
< meta http- equiv =Content-Security-Policycontent =default-src'none'; img-src'self'; script-src'self'apis.google.com; style-src'self';>
< meta http-equiv =Content-Security-Policycontent =default-src'self'apis.google.com>
< meta http-equiv =Content-Security-Policycontent =script-src'self''unsafe-eval'https://*.google.com; object-src'自我''不安全 - 评估'>
< meta http-equiv =Content-Security-Policycontent =script-src'self''unsafe-eval'apis.google.com;>
您必须编辑不在HTML上的CSP标头,但是在服务器HTTP标题上,您是否可以控制服务器?
Meta标签等将被忽略,因为HTTP标头优先,先修复它们。 / p>
I need to include this script https://apis.google.com/js/api:client.js in my website. On Google Chrome it works fine, but on Firefox (and IE obviously) I get some errors:
Content Security Policy: Ignoring "‘unsafe-inline’" within script-src: ‘strict-dynamic’ specified
Content Security Policy: Ignoring "https:" within script-src: ‘strict-dynamic’ specified
Content Security Policy: Ignoring "http:" within script-src: ‘strict-dynamic’ specified
I tried to change the Content security policy header in a meta tag but it didn't work.
I tried with all of these:
<meta http-equiv="Content-Security-Policy" content="default-src 'none'; img-src 'self'; script-src 'self' apis.google.com; style-src 'self';">
<meta http-equiv="Content-Security-Policy" content="default-src 'self' apis.google.com">
<meta http-equiv="Content-Security-Policy" content="script-src 'self' 'unsafe-eval' https://*.google.com; object-src 'self' 'unsafe-eval'">
<meta http-equiv="Content-Security-Policy" content="script-src 'self' 'unsafe-eval' apis.google.com;">
You have to edit the CSP headers not on the HTML, but on the server HTTP headers, do you have control of the server?
Meta tags and such will be ignored because the HTTP Headers take precedence, fix those first.
这篇关于内容安全策略包括脚本的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!