ember-cli 0.0.47 升级后违反内容安全策略指令 [英] Violating Content Security Policy directive after ember-cli 0.0.47 upgrade
问题描述
我将 ember-cli 应用程序升级到 0.0.47,现在我的浏览器控制台中出现了一系列与内容安全策略相关的错误.我该如何解决这个问题?
I upgraded my ember-cli app to 0.0.47 and am now getting a bunch of errors in my browser console related to the content security policy. How do I fix this issue?
Refused to load the script 'http://use.typekit.net/abcdef.js' because it violates the following Content Security Policy directive: "script-src 'self' 'unsafe-eval' localhost:35729".
login:1
Refused to execute inline script because it violates the following Content Security Policy directive: "script-src 'self' 'unsafe-eval' localhost:35729". Either the 'unsafe-inline' keyword, a hash ('sha256-...'), or a nonce ('nonce-...') is required to enable inline execution.
login:20
Refused to load the script 'http://connect.facebook.net/en_US/all.js' because it violates the following Content Security Policy directive: "script-src 'self' 'unsafe-eval' localhost:35729".
login:1
Refused to load the script 'http://maps.googleapis.com/maps/api/js?libraries=places' because it violates the following Content Security Policy directive: "script-src 'self' 'unsafe-eval' localhost:35729".
这是我的 app/index.html 文件中的行:
Here are the lines in my app/index.html file:
<script type="text/javascript" src="//use.typekit.net/abcdef.js"></script>
<script type="text/javascript">try{Typekit.load();}catch(e){}</script>
<script src="http://connect.facebook.net/en_US/all.js"></script>
<script type="text/javascript" src="http://maps.googleapis.com/maps/api/js?libraries=places"></script>
推荐答案
在阅读了 http://content-security-policy 上的一些文档后.com/ 和 https://github.com/rwjblue/ember-cli-content-安全策略,我在我的 config/environment.js 文件中添加了一些策略,如下所示:
After reading some docs at http://content-security-policy.com/ and https://github.com/rwjblue/ember-cli-content-security-policy, I added some policies to my config/environment.js file like so:
module.exports = function(environment) {
var ENV = {
contentSecurityPolicy: {
'default-src': "'none'",
'script-src': "'self' 'unsafe-inline' 'unsafe-eval' use.typekit.net connect.facebook.net maps.googleapis.com maps.gstatic.com",
'font-src': "'self' data: use.typekit.net",
'connect-src': "'self'",
'img-src': "'self' www.facebook.com p.typekit.net",
'style-src': "'self' 'unsafe-inline' use.typekit.net",
'frame-src': "s-static.ak.facebook.com static.ak.facebook.com www.facebook.com"
},
// ...
};
这使所有直接错误都消失了,但是一旦我开始导航我的应用程序,就会出现与 S3 媒体源相关的新错误.
This made all the immediate errors go away, but as soon as I started navigating my app, new ones appeared related to S3 media sources.
我确信这适用于不包含任何外部资源的应用程序,但我决定从我的 package.json 文件中删除ember-cli-content-security-policy".
I'm sure this works for apps that don't include any external resources, but I've decided to remove ""ember-cli-content-security-policy" from my package.json file.
这篇关于ember-cli 0.0.47 升级后违反内容安全策略指令的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!