nginx Content-Security-Policy Header 仍然阻塞 bootstrapcdn
nginx Content-Security-Policy Header still blocking bootstrapcdn
我的 nginx.conf
中有以下内容
add_header Content-Security-Policy
"default-src 'self';
img-src 'self' 'unsafe-inline' 'unsafe-eval' data: *.printfriendly.com *.w.org *.gravatar.com *.vimeocdn.com;
script-src 'self' 'unsafe-inline' 'unsafe-eval' *.w.org *.gravatar.com *.googleapis.com *.jsdelivr.net *.printfriendly.com *.kxcdn.com *.vimeocdn.com *.hs-analytics.net *.securitymetrics.com *.google-analytics.com;
style-src 'self' 'unsafe-inline' *.googleapis.com *.bootstrapcdn.com *.gstatic.com *.vimeocdn.com;
font-src 'self' data: *.googleapis.com *.bootstrapcdn.com *.gstatic.com *.googleapis.com;
frame-src 'self' *.vimeocdn.com *.vimeo.com;
object-src 'self'";
(我不得不将它多行以使其清晰...)
但是,在我的站点中,我仍然收到此错误:
Content Security Policy: The page’s settings blocked the loading of a resource at http://netdna.bootstrapcdn.com/font-awesome/3.2.1/css/font-awesome.css (“style-src”).
当它被列入上面的白名单时,知道为什么会发生这种情况吗?
正如@tarun-lalwani 提到的,any add_header 另一个块中的指令可能很重要。更准确地说,如果 add_header(对于任何 header)在后代块中使用,则此 Content-Security-Policy 将在此类后代块中被丢弃。
These directives are inherited from the previous level if and only if
there are no add_header directives defined on the current level.
为避免代码复制 (DRY),可以使用变量或 include 指令(或在大量情况下生成 nginx 配置)。
以防万一,在实际配置中不应使用 multi-line header 值。通过 curl -I https://example.com/path 检查您的服务器响应。为了在配置中获得更好的可读性,可以使用变量。
示例:
set $CSP_image "img-src 'self' 'unsafe-inline' 'unsafe-eval' data: *.printfriendly.com *.w.org *.gravatar.com *.vimeocdn.com; ";
set $CSP_script "script-src 'self' 'unsafe-inline' 'unsafe-eval' *.w.org *.gravatar.com *.googleapis.com *.jsdelivr.net *.printfriendly.com *.kxcdn.com *.vimeocdn.com *.hs-analytics.net *.securitymetrics.com *.google-analytics.com; ";
set $CSP_style "style-src 'self' 'unsafe-inline' *.googleapis.com *.bootstrapcdn.com *.gstatic.com *.vimeocdn.com; ";
set $CSP_font "font-src 'self' data: *.googleapis.com *.bootstrapcdn.com *.gstatic.com *.googleapis.com; ";
set $CSP_frame "frame-src 'self' *.vimeocdn.com *.vimeo.com; ";
set $CSP_object "object-src 'self' ; ";
set $CSP "default-src 'self' ; ${CSP_image} ${CSP_script} ${CSP_style} ${CSP_font} ${CSP_frame} ${CSP_object}";
add_header Content-Security-Policy $CSP;
我的 nginx.conf
中有以下内容add_header Content-Security-Policy
"default-src 'self';
img-src 'self' 'unsafe-inline' 'unsafe-eval' data: *.printfriendly.com *.w.org *.gravatar.com *.vimeocdn.com;
script-src 'self' 'unsafe-inline' 'unsafe-eval' *.w.org *.gravatar.com *.googleapis.com *.jsdelivr.net *.printfriendly.com *.kxcdn.com *.vimeocdn.com *.hs-analytics.net *.securitymetrics.com *.google-analytics.com;
style-src 'self' 'unsafe-inline' *.googleapis.com *.bootstrapcdn.com *.gstatic.com *.vimeocdn.com;
font-src 'self' data: *.googleapis.com *.bootstrapcdn.com *.gstatic.com *.googleapis.com;
frame-src 'self' *.vimeocdn.com *.vimeo.com;
object-src 'self'";
(我不得不将它多行以使其清晰...)
但是,在我的站点中,我仍然收到此错误:
Content Security Policy: The page’s settings blocked the loading of a resource at http://netdna.bootstrapcdn.com/font-awesome/3.2.1/css/font-awesome.css (“style-src”).
当它被列入上面的白名单时,知道为什么会发生这种情况吗?
正如@tarun-lalwani 提到的,any add_header 另一个块中的指令可能很重要。更准确地说,如果 add_header(对于任何 header)在后代块中使用,则此 Content-Security-Policy 将在此类后代块中被丢弃。
These directives are inherited from the previous level if and only if there are no
add_headerdirectives defined on the current level.
为避免代码复制 (DRY),可以使用变量或 include 指令(或在大量情况下生成 nginx 配置)。
以防万一,在实际配置中不应使用 multi-line header 值。通过 curl -I https://example.com/path 检查您的服务器响应。为了在配置中获得更好的可读性,可以使用变量。
示例:
set $CSP_image "img-src 'self' 'unsafe-inline' 'unsafe-eval' data: *.printfriendly.com *.w.org *.gravatar.com *.vimeocdn.com; ";
set $CSP_script "script-src 'self' 'unsafe-inline' 'unsafe-eval' *.w.org *.gravatar.com *.googleapis.com *.jsdelivr.net *.printfriendly.com *.kxcdn.com *.vimeocdn.com *.hs-analytics.net *.securitymetrics.com *.google-analytics.com; ";
set $CSP_style "style-src 'self' 'unsafe-inline' *.googleapis.com *.bootstrapcdn.com *.gstatic.com *.vimeocdn.com; ";
set $CSP_font "font-src 'self' data: *.googleapis.com *.bootstrapcdn.com *.gstatic.com *.googleapis.com; ";
set $CSP_frame "frame-src 'self' *.vimeocdn.com *.vimeo.com; ";
set $CSP_object "object-src 'self' ; ";
set $CSP "default-src 'self' ; ${CSP_image} ${CSP_script} ${CSP_style} ${CSP_font} ${CSP_frame} ${CSP_object}";
add_header Content-Security-Policy $CSP;