Firefox OS验证程序中检测到CSP违规 [英] CSP Violation Detected in Firefox OS validator

问题描述

我在firefox os验证器中有此消息：

I have this message in the firefox os validator :

Erreur：您的代码似乎正在执行违反CSP（内容安全策略）的操作特权应用。
您可以在Mozilla开发人员网站上找到有关CSP允许和不允许的内容的更多信息。 https://developer.mozilla.org/en-US/docs/Security/CSP

Erreur: It appears that your code may be performing an action which violates the CSP (content security policy) for privileged apps. You can find more information about what is and is not allowed by the CSP on the Mozilla Developers website. https://developer.mozilla.org/en-US/docs/Security/CSP

www/index.html
16
17
<script type="text/javascript" src="js/select2.js"></script>
<script>

代码index.html：

Code index.html :

<!DOCTYPE html> 
<html>
<head>
    <title>Chri App</title>
    <meta name="viewport" content="width=device-width, initial-scale=1">
    <link href="js/jquery.css.min.css" rel="stylesheet"/>
    <script src="js/jquery-1.9.1.min.js"></script>
    <script src="js/jquery.mobile-1.3.1.min.js"></script>
            <meta charset='utf-8'> 
        <meta name="format-detection" content="telephone=no" />
                <link rel="stylesheet" type="text/css" href="css/index.css" />
        <meta name="viewport" content="width=device-width, initial-scale=1">  
        <link href="js/select2/select2.css" rel="stylesheet" > 
        <link href="css/web_app.css" rel="stylesheet" > 
        <script src="main.js"></script>
        <script type="text/javascript" src="js/select2/select2.js"></script> 
        <script>

        $(document).bind('pageinit',function(e ){


        $.support.cors = true;
        $.mobile.allowCrossDomainPages= true;
        $.mobile.selectmenu.prototype.options.nativeMenu = false;





            // When the testform is submitted
        $("#search-form-location").select2();
        $("#search-form-category").select2();
            $("#testform").submit(function() {

            $.mobile.loading('show');
.......

你有什么想法吗？

推荐答案

如果您正在编写特权（或认证）应用程序，它需要符合几个要求，以使其更加健壮 - 不易受到各种攻击。其中一个限制禁止内联javascript ，即javascript嵌入< script> 标记 - 您应该将这些内联脚本放入n外部 .js 文件，并通过 src 属性链接它们。

If you are writing a privileged (or certified) application, it needs to comply with several requirements, to make it more robust - less vulnerable to different kinds of attacks. One of the restrictions bans inline javascript, that is javascript embeded in <script> tags - you should place these inline scripts into an external .js file, and link them via the src attribute.

查看你的代码，这应该是验证者抱怨的原因（参见jQuery $（document）.bind（... 块） 。将此块放到外部文件中应解决此问题。

Looking at your code, this should be why the validator is complaining (see the jQuery $(document).bind(... block you have there). Putting this block to an external file should solve this.

您可以阅读有关 MDN：Apps CSP 。

这篇关于Firefox OS验证程序中检测到CSP违规的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！