Content-Security-Policy object-src blob [英] Content-Security-Policy object-src blob
问题描述
使用内容安全策略时,我尝试使用 window.URL.createObjectURL在Chrome 41(beta)中遵循一个流程我收到如下错误:
拒绝加载来自'blob:http%3A // localhost%'的插件数据3A7000 / f59612b8-c760-43a4-98cd-fe2a44648393',因为它违反了以下内容安全策略指令:object-src blob:// *
通过限制 从规范这应该工作,因为它为 object-src
或其他
pre $ blob = new Blob
[%PDF-1。 << / Root<< / Pages<< / Kids [<< / MediaBox>>>>>] ,
{type:application / pdf})
$(< embed>))。attr(src,window.URL.createObjectURL(blob))
.appendTo (document.body)
data:// *
。我也尝试过 blob
, blob:
blob:*
, blob:http *
, blob:http:*
, blob:http:/ / *
,但无济于事。
什么工作,但出于显而易见的原因是不可取的,是 object- src *
。
有没有人成功获取blob以加载内容安全策略?这是上游的问题,还是我忽略了一些东西?解析方案
符合规范的答案是 object- src'self'blob:
blob:
应该只匹配 blob:
,而不是'self'
或 *
。这是 Chrome 中的一个错误,最近在< a href =https://bugzilla.mozilla.org/show_bug.cgi?id=1086999 =noreferrer> Firefox 40。
When using a content-security-policy and I try to follow a process in Chrome 41 (beta) using window.URL.createObjectURL I get an error like the following:
Refused to load plugin data from 'blob:http%3A//localhost%3A7000/f59612b8-c760-43a4-98cd-fe2a44648393' because it violates the following Content Security Policy directive: "object-src blob://*"
With a content security policy that restricts object-src
or otherwise default-src
one can reproduce the issue (with jQuery for convenience) like this:
blob = new Blob(
["%PDF-1.\ntrailer<</Root<</Pages<</Kids[<</MediaBox[0 0 3 3]>>]>>>>>>"],
{ type: "application/pdf" })
$("<embed>").attr("src", window.URL.createObjectURL(blob))
.appendTo(document.body)
It seems from the spec that this should work, as it does for data://*
. I have tried also blob
, blob:
, blob:*
, blob:http*
, blob:http:*
, blob:http://*
, but to no avail.
What does work, but for apparent reasons is undesirable, is object-src *
.
Has anyone had any success getting blobs to load with a content security policy? Is this a problem upstream, or have I overlooked something?
The spec compliant answer is object-src 'self' blob:
blob:
should only match blob:
explicitly, and not 'self'
or *
. This is a bug in Chrome, and was recently fixed in Firefox 40.
这篇关于Content-Security-Policy object-src blob的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!