如何更改内容安全策略指令以允许addThis小部件? [英] How to change Content Security Policy directive to allow for addThis widget?

问题描述

我正在建立一个使用webpack的网站.
我将要启动它，我想戴上addThis共享小部件.我正在按照addThis的建议在关闭body标签之前在index.html中添加addThis代码.像这样:

I am making a site that uses webpack.
I am about to launch it and I want to put on addThis share widget. I am adding the addThis code in the index.html right before closing body tag as advised by addThis. Like this:

  <!-- Go to www.addthis.com/dashboard to customize your tools -->
  <script type="text/javascript" 
  src="//s7.addthis.com/js/300/addthis_widget.js#pubid=ra- 
  ###MY_NUMBERS###"></script>
</body>

这会在chrome-inspect控制台中产生以下错误:

this generates the following error in chrome-inspect console:

拒绝加载脚本
' http://s7.addthis.com/js/300/addthis_widget.js'，因为它违反了
以下内容安全策略指令:"script-src'self'".

Refused to load the script
'http://s7.addthis.com/js/300/addthis_widget.js' because it violates
the following Content Security Policy directive: "script-src 'self'".

我已经阅读了一些内容，将addThis分离到另一个js文件并将其保存到本地以将其加载到DOM似乎不起作用.

I have read up a little on it and it does not seem to work to seperate addThis to another js-file and save that locally to load it to DOM.

我尝试将其添加到我的manifest.json:

I tried add this to my manifest.json:

"content_security_policy": "script-src 'self' http://s7.addthis.com/js/300/addthis_widget.js; object-src 'self'"

没有成功.有没有办法覆盖CSP设置以允许addThis-widget?

No success. Is there a way to override CSP settings to allow for addThis-widget?

推荐答案

<meta http-equiv="Content-Security-Policy" content="default-src 'self' 'unsafe-inline' 
'unsafe-eval' https://*.addthis.com https://addthis.com;child-src 'self' 'unsafe- 
inline' 'unsafe-eval' https://*.addthis.com https://addthis.com; object-src 'self' 
'unsafe-inline' 'unsafe-eval' https://*.addthis.com https://addthis.com; script-src 
'self' 'unsafe-inline' 'unsafe-eval' https://*.addthis.com https://addthis.com; img-src 
'self' 'unsafe-inline' 'unsafe-eval' https://*.addthis.com https://addthis.com;">

将其添加到标题中将允许加载addthis小部件.可能不安全，这将违背内容安全策略的目的...

Adding this to your header will allow the addthis widget to load. Might not be secure, which will defeat the purpose of Content-Security-Policies...

这篇关于如何更改内容安全策略指令以允许addThis小部件?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！