内容安全政策问题 [英] Content-Security-Policy issue
问题描述
我在htaccess中使用以下代码,但由于某些原因,我在控制台中收到一条错误消息。知道问题是什么吗?
I'm using the code below in my htaccess but for some reason I'm getting an error message in the console. Any idea what the issue is?
谢谢
<IfModule mod_headers.c>
Header set Content-Security-Policy "script-src 'self' https://maxcdn.bootstrapcdn.com/ https://oss.maxcdn.com/ https://cdnjs.cloudflare.com https://ajax.googleapis.com https://maps.googleapis.com https://fonts.googleapis.com/ https://www.facebook.com/ https://www.facebook.net/ https://connect.facebook.net https://connect.facebook.com"
</IfModule>
推荐答案
您的页面上有一个内联脚本,例如:
You have an inline script on your page, ie something like this:
<script>
...
</script>
这直接在您的HTML或使用的组件中(例如,您拉入的Facebook小部件
This is either directly in your HTML or in a component used (e.g. a Facebook widget you pull in to you page adds this) or perhaps in a browser extension your browser uses.
您可以通过向配置中添加unsafe-inline来允许此在线脚本,如下所示:
You can allow this online script by adding unsafe-inline to your config like this:
<IfModule mod_headers.c>
Header set Content-Security-Policy "script-src 'unsafe-inline' 'self' https://maxcdn.bootstrapcdn.com/ https://oss.maxcdn.com/ https://cdnjs.cloudflare.com https://ajax.googleapis.com https://maps.googleapis.com https://fonts.googleapis.com/ https://www.facebook.com/ https://www.facebook.net/ https://connect.facebook.net https://connect.facebook.com"
</IfModule>
但是,这将破坏大多数内容保护政策(CSP)的专门保护,以防止为您的网站运行的恶意脚本可以防止跨站点脚本(XSS)之类的安全问题。
However this would defeat most of the protections of Content Security Policy (CSP) which is specifically designed to prevent rogue scripts running for your site to prevent security problems like Cross Site Scripting (XSS).
我建议您在实施CSP之前仔细阅读更多内容。可以在这里作为推荐人推荐我自己的博客文章: https://www.tunetheweb .com / security / http-security-headers / csp /
I suggest you read up a lot more on CSP before implementing it. Can suggest my own blog post here as a starter: https://www.tunetheweb.com/security/http-security-headers/csp/
这篇关于内容安全政策问题的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
