脚本导致“拒绝执行内联脚本:需要'unsafe-inline'关键字，散列…或现时才可以启用内联执行" [英] Script causes “Refused to execute inline script: Either the 'unsafe-inline' keyword, a hash… or a nonce is required to enable inline execution”

问题描述

我不断收到此错误:

拒绝执行内联脚本，因为它违反了以下内容安全策略指令:"default-src'self'data:gap: http://www.visitsingapore.com https://ssl.gstatic.com '不安全-评估".关键字'unsafe-inline'，散列('sha256-V +/U3qbjHKP0SaNQhMwYNm62gfWX4QHwPJ7We1PXokI =')或随机数('nonce -...')是启用内联执行所必需的.另请注意，未明确设置"script-src"，因此将"default-src"用作后备.

Refused to execute inline script because it violates the following Content Security Policy directive: "default-src 'self' data: gap: http://www.visitsingapore.com https://ssl.gstatic.com 'unsafe-eval'". Either the 'unsafe-inline' keyword, a hash ('sha256-V+/U3qbjHKP0SaNQhMwYNm62gfWX4QHwPJ7We1PXokI='), or a nonce ('nonce-...') is required to enable inline execution. Note also that 'script-src' was not explicitly set, so 'default-src' is used as a fallback.

谁能告诉我如何解决这个问题，这是什么意思?我的代码是:

Can anyone tell me how to solve this and what does it mean? My code is:

<meta http-equiv="Content-Security-Policy" content="default-src 'self' data:gap: http://www.visitsingapore.com   https://ssl.gstatic.com 'unsafe-eval'; style-src 'self' 'unsafe-inline'; media-src *">
<meta http-equiv="content-type" content="text/html; charset=UTF-8" />
<link rel="stylesheet" type="text/css" href="css/index.css">
<link rel="stylesheet" href="css/jquery.mobile-1.4.5.css">
<script src="lib/jquery-3.2.1.min.js"></script>

<script type="text/javascript" src="scripts/key.js"></script>
<script>$.ajax({
        url: ' http://www.visitsingapore.com/api.listing.en.json',
        type: 'GET',
        beforeSend: function (xhr) {
            xhr.setRequestHeader('email ID', '-------@gmail.com');
            xhr.setRequestHeader('token ID', '-------');
        },
        data: {},
        success: function (qwe12) {
            var TrueResult2 = JSON.stringify(qwe12);
            document.write(TrueResult2);
        },
        error: function () { },
    });</script>

推荐答案

解决此问题的最佳方法是将$.ajax(…)调用移出文档，然后将其移至名为ajax-call.js的外部文件中，然后做到这一点:

The best way to fix this would be to take that $.ajax(…) call out of the document and move it into an external file called ajax-call.js, and then do this:

<script src="ajax-call.js"></script>

更好的原因是，如果您已经在努力为文档设置CSP策略，那么理想情况下，您应该付出额外的努力来删除所有内联脚本.

The reason that’s better is that if you’re already going to the effort of setting a CSP policy for your document, then you should ideally go to the additional effort of removing all inline scripts.

但是，如果出于某些原因您确实需要使该脚本在文档中保持内联，则可以更改该meta元素，以便将错误消息中的精确sha256哈希值作为源包括在内.对于script-src指令，如下所示(添加了一些换行符只是为了提高可读性):

But if for some reason you really need to keep that script inline in the document, you can change that meta element so that exact sha256 hash value from the error message is included as a source for the script-src directive, like this (with some line breaks added just for readability):

<meta http-equiv="Content-Security-Policy"
  content="default-src 'self' data:gap: http://www.visitsingapore.com 
  https://ssl.gstatic.com 'unsafe-eval';
  style-src 'self' 'unsafe-inline';
  media-src *;
  script-src: 'sha256-V+/U3qbjHKP0SaNQhMwYNm62gfWX4QHwPJ7We1PXokI='
">

还有几个地方可以获取更多信息:

And a couple places to get a bit more information:

• developers.google.com/web/fundamentals/security/csp/#if_you_absolutely_must_use_it
• www.owasp.org/index.php/Content_Security_Policy_Cheat_Sheet#Refactoring_inline_code

• developers.google.com/web/fundamentals/security/csp/#if_you_absolutely_must_use_it
• www.owasp.org/index.php/Content_Security_Policy_Cheat_Sheet#Refactoring_inline_code

这篇关于脚本导致“拒绝执行内联脚本:需要'unsafe-inline'关键字，散列…或现时才可以启用内联执行"的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！