因为它违反了以下内容安全策略指令：“style-src'self'”。 [英] because it violates the following Content Security Policy directive: "style-src 'self'"

问题描述

这是一个只有twitter bootstrap js的非交互式页面。

 < HEAD> 
< title>版本：unknown bl version vs. 1.0.487 [flavor：HISTORIC_TIME]< / title> 
< link rel =stylesheethref =https://maxcdn.bootstrapcdn.com/bootstrap/3.3.4/css/bootstrap.min.css> 
< link rel =stylesheethref =https://maxcdn.bootstrapcdn.com/bootstrap/3.3.4/css/bootstrap-theme.min.css> 
< script type =scriptsrc =https://maxcdn.bootstrapcdn.com/bootstrap/3.3.4/js/bootstrap.min.js>< / script> 
< meta content =text / html; charset = utf-8http-equiv =content-type> 
 < / head> 
  

我在stackoverflow上看到一些帖子，但无法理解如何解决这个问题。

拒绝加载样式表
'

但它并没有帮助

有什么想法吗？ 试试 试试将CSP拆分为一个单独的标签并添加一个style-src引用，如下所示：

 < meta http-equiv = content-typecontent =text / html; charset = utf-8;> 
< meta http-equiv =Content-Security-Policycontent =script-src'self'http://onlineerp.solution.quebec'unsafe-inline' '不安全-EVAL'; style-src'self'maxcdn.bootstrapcdn.com> 
  

这应该说你相信样式来自maxcdn.bootstrapcdn.com。

内容安全政策的绝佳解释在 http://content-security-policy.com/

I have a webpage with this header.

It's a non interactive page with just twitter bootstrap js.

<head>
    <title>Versions: unknown bl version vs. 1.0.487 [flavor: HISTORIC_TIME]</title>
    <link rel="stylesheet" href="https://maxcdn.bootstrapcdn.com/bootstrap/3.3.4/css/bootstrap.min.css">
    <link rel="stylesheet" href="https://maxcdn.bootstrapcdn.com/bootstrap/3.3.4/css/bootstrap-theme.min.css">
    <script type="script" src="https://maxcdn.bootstrapcdn.com/bootstrap/3.3.4/js/bootstrap.min.js"></script>
    <meta content="text/html; charset=utf-8" http-equiv="content-type">
    <link rel="icon" href="/jenkins/view/QA/job/RoutingRegression/ws/src/main/resources/html_pages/images/favicon.png" type="image/gif" sizes="16x16">
</head>

I saw some posts on stackoverflow but couldn't understand how to fix this.

Refused to load the stylesheet 'https://maxcdn.bootstrapcdn.com/bootstrap/3.3.4/css/bootstrap.min.css' because it violates the following Content Security Policy directive: "style-src 'self'".

landing_page.html:1 Refused to load the stylesheet 'https://maxcdn.bootstrapcdn.com/bootstrap/3.3.4/css/bootstrap-theme.min.css' because it violates the following Content Security Policy directive: "style-src 'self'".

I tried to change the <meta> to

<meta content="text/html; charset=utf-8 ;script-src 'self' http://onlineerp.solution.quebec 'unsafe-inline' 'unsafe-eval';" http-equiv="content-type">

but it didn't help

any idea?

解决方案

Try splitting out the CSP into a separate tag and add a style-src reference, like this:

<meta http-equiv="content-type" content="text/html; charset=utf-8 ;">
<meta http-equiv="Content-Security-Policy" content="script-src 'self' http://onlineerp.solution.quebec 'unsafe-inline' 'unsafe-eval'; style-src 'self' maxcdn.bootstrapcdn.com"> 

This should say that you trust styles coming from maxcdn.bootstrapcdn.com.

Great explanation of Content Security Policy is at http://content-security-policy.com/

这篇关于因为它违反了以下内容安全策略指令：“style-src'self'”。的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！