内容安全政策有问题 [英] Trouble with content security policy
问题描述
所以我一直在尝试使用Google可编程搜索引擎脚本,但是我在meta标签上遇到了麻烦.我包含在其中的meta标记如下:
So i have been trying to use a google programmable search engine script, but i am having trouble with the meta tag. The meta tag that i have included in my is as follows:
<meta http-equiv="Content-Security-Policy" content="script-src *.google.com 'self';">
但是,我仍然收到一个错误消息,告诉我它拒绝加载脚本,因为它违反了"content-security-policy"指令:"script-src'self'"'
However, i am still getting an error telling me it refused to load the script because it violates the "content-security-policy directive: "script-src 'self'""
我想知道它是否从其他地方继承某种设置,因为它不接受我正在设置的新script-src,但是如果我将其设置为"none",它确实会接受新的script-src.
I am wondering whether it inherits some sort of settings from somewhere else, as it doesn't accept the new script-src i am setting, however it does accept the new script-src if i set it to 'none'.
顺便说一下,我是html的新手,所以我可能会犯一些明显的错误.
By the way, I am very new to html, so i might be making some obvious mistake.
推荐答案
好像您已发布2个Content-Security-Policy.如果有多个CSP,则应采用两者中最严格的规则(所有来源/令牌均应通过未刮擦的两个CSP传递.)
Looks like you have 2 Content-Security-Policy issued. If multiple CSPs the strictest rules from both will apply (all sources/tokens should pass via both CSPs unscratched).
内容安全政策可以通过两种方式提供:
Content Security Policy could be delivered 2 ways:
- 通过HTTP标头
Content-Security-Policy:
(首选) - 通过元标记(可能性有限)
因此,您需要在HTML代码中检查双< meta http-equiv ="Content-Security-Policy"
.
So you need to check for double <meta http-equiv="Content-Security-Policy"
in the HTML code.
并在浏览器开发人员工具(Chrome中为Crtl + Shift + i,Fifrefox中为Crtl + Shift + k)中检查HTTP响应标头(因为CMS默认可以发布CSP)->选择网络"标签->选择主页在左侧窗口中,然后查看响应"标题):
And check the HTTP response headers(because CMS could publush CSP by default) in the browser developers tool (Crtl+Shift+i in Chrome and Crtl+Shift+k in Fifrefox -> Network tab -> select main page at the left window and look Response headers):
这篇关于内容安全政策有问题的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!