嵌入YouTube视频的CSP [英] CSP for embedding youtube video
问题描述
我刚刚开始在Chrome上嵌入我的youtube视频(86.0.4240.193-最近更新,这可能就是我刚刚看到此内容的原因)开始看到这些-这些仅是报告",因此这些视频仍然显示100张错误是不对的!这就是我所看到的:
I've just started seeing this with my embedded youtube videos on Chrome (86.0.4240.193 - recently updated which is probably why I'm just seeing this) - these are 'reports' only, so the videos still show but 100s of errors can't be right! This is what I'm seeing:
[Report Only] Refused to evaluate a string as JavaScript because 'unsafe-eval' is not an allowed source of script in the following Content Security Policy directive: "script-src 'strict-dynamic' 'unsafe-inline' https: 'report-sample' 'nonce-t9IE7nI2leo7qKxsm7d80g=='".
这是我的iFrame-
Here's my iFrame --
<iframe id="video-iframe" width="500" height="281" src="https://www.youtube.com/embed/HIDDENVIDEO" frameborder="0" allowfullscreen ></iframe>
我不知道CSP应该是什么-这是我发现它显然解决了他们的问题的原因-
I cannot figure out what the CSP should be -- here's one that I found that apparently solved their problem --
<iframe id="video-iframe" width="500" height="281" src="https://www.youtube.com/embed/HIDDENVIDEO" frameborder="0" allowfullscreen csp="script-src 'self' https://www.google-analytics.com/ https://www.youtube.com/ https://s.ytimg.com/; object-src 'self'; child-src https://www.youtube.com/* https://s.ytimg.com/"></iframe>
没什么-我只是看到:拒绝显示....
Not so much -- I just see: Refused to display....
非常感谢任何帮助.
我刚刚检查了 developers.google.com/youtube/iframe_api_reference#Examples 页面,我看到的是同一件事-当然不应该发生这种情况,对吧?
I just checked the developers.google.com/youtube/iframe_api_reference#Examples page and I'm seeing the same thing -- surely this shouldn't be happening, right?
推荐答案
如您所见,此错误不是由您的CPS触发的-您没有'nonce-t9IE7nI2leo7qKxsm7d80g ==''''令牌.此错误出现在Google的< iframe> 中,并且完全是Google的内部交易.
As you can see, this error is triggered not your CPS - your's do not have 'nonce-t9IE7nI2leo7qKxsm7d80g=='" token. This error appears within Google's <iframe> and it's totally Google's internal deal.
事实是,以前的多个Chrome版本都有一个错误,并且没有阻止eval 表达式.
在Chrome版本86中,他们修复了该错误,并通过设置仅报告"标头并对其进行虚假调用来评估此错误,以评估报告.
The fact is that several previous versions of Chrome had a bug and did not block eval expressions.
In version 86 Chrome, they fixed this bug, and to verify this, they set the Report-Only header and made a fake call to eval to see reports.
用于YouTube的CSP 非常简单,不需要不安全评估",因为所有可在孤立的iframe中使用: frame-src youtube.com www.youtube.com; 足以在iframe中使用Youtube.
CSP for Youtube is very simple and does not require 'unsafe-eval', because all works within isolated iframe:
frame-src youtube.com www.youtube.com; is enough to allow for Youtube in iframe.
BT方式,您的CSP具有错误-路径部分不允许 * .并请小心< iframe csp = -如果服务器不同意您的CSP,内容将被阻止.
但这< iframe csp = 发挥了作用是因为Chrome浏览器再次出现错误-如果Content-Security-Policy标头存在,它将忽略Content-Security-Policy-Report-Only.
Bt the way, your CSP has an error - the * is not allowed in path-part. And be careful with <iframe csp= - if server does not agree with your CSP, content will be blocked.
But this <iframe csp= played the role because of once more Chrome bug - it ignores Content-Security-Policy-Report-Only if Content-Security-Policy header presence.
这篇关于嵌入YouTube视频的CSP的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
