如何允许内容安全策略从Google API运行外部JavaScript? [英] How to allow content security policy to run external javascript from google api?
问题描述
这是我当前针对我的应用的script-src内容安全策略:
This is my current script-src content security policy for my app:
script-src'self''unsafe-inline'https://maps.googleapis.com https://maps.gstatic.com;
尝试加载以下外部js代码:
trying to load the following external js code:
https://maps.googleapis.com/maps/api/js?key=$ {GOOGLE_API_KEY}& libraries = places& language = he
使用unsafe-inline可以正常运行,但可能不安全,因此我想在代码中将其删除,但随后它不允许脚本运行.试图将 https://maps.googleapis.com/ *之类的值添加到script-src中,但是它仍然没有用.如何允许来自特定域的脚本?
using unsafe-inline it works, but probably unsafe, so I want to remove it in my code, but then it doesn't allow the script to run. tried to add to script-src a value such as https://maps.googleapis.com/* but it still didn't work. how would one allow scripts from a specific domain?
推荐答案
I had the same problem but was able to resolve it by using a hash with https://*.googleapis.com
whitelisted.
script-src
指令可让开发人员将特定内联列入白名单通过将其哈希指定为允许的脚本源来编写脚本.
The
script-src
directive lets developers whitelist a particular inline script by specifying its hash as an allowed source of script.
用法很简单.服务器计算特定哈希值脚本块的内容,并包括该脚本的base64编码 Content-Security-Policy
标头中的值.
Usage is straightforward. The server computes the hash of a particular
script block’s contents, and includes the base64 encoding of that
value in the Content-Security-Policy
header.
例如:
<meta http-equiv="Content-Security-Policy" content="script-src 'self' 'sha256-...4aQo=' https://*.googleapis.com">
请注意,对于动态应用程序,最好使用 nonce .
Note that for dynamic applications it's better to use a nonce.
希望这会有所帮助!
这篇关于如何允许内容安全策略从Google API运行外部JavaScript?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!