拒绝框架“https://www.youtube.com/embed/xxxxx,因为它违反了内容安全政策指令 [英] Refused to frame 'https://www.youtube.com/embed/xxxxx because it violates Content Security Policy directive
问题描述
我试图在我的页面中嵌入一个YouTube视频,并在控制台中看到这样的错误:
拒绝frame'https://www.youtube.com/embed/<~videoId~> ;?showinfo=0'
,因为它违反了以下内容安全策略指令:
default-srcself 。请注意,frame-src没有明确设置,所以
default-src被用作后备。
这似乎够清楚了,所以在阅读完一小段后,我发现了两种设置适当的内容安全通过设置一个响应头(我在我的web.config文件中):
-
$ b
< httpProtocol>
< customHeaders>
< add name =Content-Security-Policyvalue =frame-src https://www.youtube.com//>
< / customHeaders>
< / httpProtocol>
-
/ b>
< meta http-equiv =Content-Security-Policycontent =frame-src https://www.youtube.com>
这些方法的工作; Chrome继续在控制台中给出相同的结果(尽管我已经完成了我认为的消息意义并设置了所请求的内容安全策略)。
有很多关于内容安全政策的问题和答案,但是我不能在这种情况下找到任何东西。
我的网站在https上运行,我的iframe和嵌入式视频如下所示:
< div id =videoContainer>
这个问题只针对Chrome和FFirefox;如果没有内容安全策略,Internet Explorer 11是没问题的。
感谢您提供任何建议。
我自己找到了答案。我试图在Identity Server 3安装的登录页面上嵌入一个视频,这比我想象的要大得多。
Chrome网络标签包含一个来自Identity Server的csp报告,从中可以快速搜索到Identity Server文档中的答案:
https://identityserver.github.io/Documentation/docsv2/advanced/csp.html
添加cspOptions条目到身份服务器选项修复了问题wholelt,而不需要我添加任何我自己的自定义标头:
$ pre $ code var选项= (),
Factory = factory,
RequireSsl = true,
CspOptions = new CspOptions(){FrameSrc =https ://www.youtube.com},
...
...
}
I am trying to embed a youtube video in my page and see an error like this in the console:
Refused to frame 'https://www.youtube.com/embed/<~videoId~>?showinfo=0'
because it violates the following Content Security Policy directive:
"default-src 'self'". Note that 'frame-src' was not explicitly set, so
'default-src' is used as a fallback.
This seems clear enough, so after a bit of reading I found two ways of setting an appropriate content security policy.
by setting a response header (which I did in my web.config file):
<httpProtocol> <customHeaders> <add name="Content-Security-Policy" value="frame-src https://www.youtube.com/" /> </customHeaders> </httpProtocol>
with a meta tag in the page header:
<meta http-equiv="Content-Security-Policy" content="frame-src https://www.youtube.com">
Neither of these methods worked; Chrome keeps on giving the same result in the console (even though I have done what I thought the message meant and set the requested content security policy). The iframe remains blocked and empty.
There are lots of questions and answers about content security policies but I can't find any with this combination of circumstances.
My site is running on https and my iframe and embedded video looks like this:
<div id="videoContainer"> <iframe src="https://www.youtube.com/embed/<~videoId~>?showinfo=0" frameborder="0" allowfullscreen> </iframe> </div>
The problem only shows up for Chrome and FFirefox; Internet Explorer 11 is fine without a content security policy.
Thanks in advance for any advice.
I found the answer to this myself. I was trying to embed a video on the login page of an Identity Server 3 installation and this made a bigger difference than I thought it would.
the Chrome network tab contained a csp report from Identity Server, from which clue a quick search revealed the answer here in the Identity Server documentation: https://identityserver.github.io/Documentation/docsv2/advanced/csp.html
Adding a cspOptions entry to the identity server options fixed the issue entirelt without the need for me to add any of my own custom headers:
var options = new IdentityServerOptions
{
SigningCertificate = Certificate.Load(),
Factory = factory,
RequireSsl = true,
CspOptions = new CspOptions() {FrameSrc = "https://www.youtube.com"},
...
...
}
这篇关于拒绝框架“https://www.youtube.com/embed/xxxxx,因为它违反了内容安全政策指令的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!