允许某些脚本设置内联样式 [英] Allowing certain scripts to set inline styles

问题描述

我正在使用csp标头保护我的页面。我同时设置了 X-Content-Security-Policy 和 X-Webkit-CSP 。更改为以下值：

I'm securing my page using a csp headers. I set both X-Content-Security-Policy and X-Webkit-CSP. to the following value:

default-src 'self';
object-src 'none';
frame-src 'self' *.youtube.com;
style-src 'self' https://ajax.googleapis.com;
script-src 'self' https://ajax.googleapis.com;
report-uri /csp_report

一切正常，但是我在Chrome中看到以下错误。我尚未在其他浏览器中对其进行测试。

Everything loads fine, but I get tHe following error in chrome. I have yet to test it in other browsers.

Refused to apply inline style because it violates the following Content 
Security Policy directive: "style-src 'self' https://ajax.googleapis.com".

在当前域的脚本中引用一行，试图插入一些包含内联样式的HTML 。有没有一种方法可以让我在usin script-src中列入白名单的脚本执行此操作？我在托管于ajax.googleapis.com上的jquery中遇到了相同的错误。

referring to a line in a script on the current domain, that's trying to insert some HTML containing inline styles. Is there a way to allow scripts that I have whitelisted usin script-src to do this? I'm getting the same error for jquery, hosted on ajax.googleapis.com.

推荐答案

我忽略了不安全内联 。我允许加载的资源可以通过以下方式使用内联样式：

I overlooked 'unsafe-inline'. Resources that I allowed to load can use inline styles by doing this:

style-src 'unsafe-inline'

这篇关于允许某些脚本设置内联样式的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！