允许某些脚本设置内联样式 [英] Allowing certain scripts to set inline styles
问题描述
我正在使用csp标头保护我的页面。我同时设置了 X-Content-Security-Policy
和 X-Webkit-CSP
。更改为以下值:
I'm securing my page using a csp headers. I set both X-Content-Security-Policy
and X-Webkit-CSP
. to the following value:
default-src 'self';
object-src 'none';
frame-src 'self' *.youtube.com;
style-src 'self' https://ajax.googleapis.com;
script-src 'self' https://ajax.googleapis.com;
report-uri /csp_report
一切正常,但是我在Chrome中看到以下错误。我尚未在其他浏览器中对其进行测试。
Everything loads fine, but I get tHe following error in chrome. I have yet to test it in other browsers.
Refused to apply inline style because it violates the following Content
Security Policy directive: "style-src 'self' https://ajax.googleapis.com".
在当前域的脚本中引用一行,试图插入一些包含内联样式的HTML 。有没有一种方法可以让我在usin script-src中列入白名单的脚本执行此操作?我在托管于ajax.googleapis.com上的jquery中遇到了相同的错误。
referring to a line in a script on the current domain, that's trying to insert some HTML containing inline styles. Is there a way to allow scripts that I have whitelisted usin script-src to do this? I'm getting the same error for jquery, hosted on ajax.googleapis.com.
推荐答案
我忽略了不安全内联
。我允许加载的资源可以通过以下方式使用内联样式:
I overlooked 'unsafe-inline'
. Resources that I allowed to load can use inline styles by doing this:
style-src 'unsafe-inline'
这篇关于允许某些脚本设置内联样式的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!