CSP 元标记不正确:阻止所有字体和 JS
CSP Meta Tag incorrect: Blocking all fonts and JS
我跟进了一个不同的 SO 答案并像这样更新了我的元标记:
<meta http-equiv="Content-Security-Policy" content="default-src 'self' data: gap: https://ssl.gstatic.com 'unsafe-eval'; style-src 'self' 'unsafe-inline'; media-src *; img-src 'self' data: content:; default-src 'self' 'unsafe-inline'; https://*.googleapis/*/ https://*.fontawesome.com/*/ script-src 'self' 'unsafe-eval'; object-src 'self';">
我的目标是让 FontAwesome 通过 CySec 调查结果。但是,修复的问题多于修复的问题:
Ignoring duplicate Content-Security-Policy directive 'default-src'.
folio.dubaiairports.ae/:9 Ignoring duplicate Content-Security-Policy directive 'default-src'.
Unrecognized Content-Security-Policy directive '<URL>'.
mySite.myCompany.co/:9 Unrecognized Content-Security-Policy directive 'https://*.googleapis/*/'.
chext_driver.js:65 Unrecognized Content-Security-Policy directive 'https://*.googleapis/*/'.
mySite.myCompany.co/:1 Refused to load the stylesheet 'https://fonts.googleapis.com/css?family=Roboto:400,500' because it violates the following Content Security Policy directive: "style-src 'self' 'unsafe-inline'". Note that 'style-src-elem' was not explicitly set, so 'style-src' is used as a fallback.
blazor.server.js:1 [2021-01-26T09:27:01.087Z] Information: Normalizing '_blazor' to 'https://mySite.myCompany.co/_blazor'.
mySite.myCompany.co/:1 Refused to load the script 'https://kit.fontawesome.com/4f9675fbb7.js' because it violates the following Content Security Policy directive: "default-src 'self' data: gap: https://ssl.gstatic.com 'unsafe-eval'". Note that 'script-src-elem' was not explicitly set, so 'default-src' is used as a fallback.
mySite.myCompany.co/:1 Refused to load the stylesheet 'https://fonts.googleapis.com/css?family=Roboto:400,500' because it violates the following Content Security Policy directive: "style-src 'self' 'unsafe-inline'". Note that 'style-src-elem' was not explicitly set, so 'style-src' is used as a fallback.
任何有帮助的指点将不胜感激
- 一个双
default-src指令,第二个将被忽略。
- 在
'unsafe-inline'; https://*.googleapis/*/ https://*.fontawesome.com/*/ 部分中缺少指令名称,因此浏览器将 https://*.googleapis/*/ 和 https://*.fontawesome.com/*/ host-sources 视为指令名称。 ; 是指令的分隔符,因此在 'unsafe-inline'; 之后应该跟一个指令名称。
https://*.googleapis/*/ 和 https://*.fontawesome.com/*/ 语法无效,因为 * 不允许出现在路径部分或覆盖顶级域区域,请参阅 how to correctly specify host-source.
我不确定 gap: 和 content: 方案源,它们不用于普通 CSP,但它们可能适用于浏览器扩展的 CSP。
我跟进了一个不同的 SO 答案并像这样更新了我的元标记:
<meta http-equiv="Content-Security-Policy" content="default-src 'self' data: gap: https://ssl.gstatic.com 'unsafe-eval'; style-src 'self' 'unsafe-inline'; media-src *; img-src 'self' data: content:; default-src 'self' 'unsafe-inline'; https://*.googleapis/*/ https://*.fontawesome.com/*/ script-src 'self' 'unsafe-eval'; object-src 'self';">
我的目标是让 FontAwesome 通过 CySec 调查结果。但是,修复的问题多于修复的问题:
Ignoring duplicate Content-Security-Policy directive 'default-src'.
folio.dubaiairports.ae/:9 Ignoring duplicate Content-Security-Policy directive 'default-src'.
Unrecognized Content-Security-Policy directive '<URL>'.
mySite.myCompany.co/:9 Unrecognized Content-Security-Policy directive 'https://*.googleapis/*/'.
chext_driver.js:65 Unrecognized Content-Security-Policy directive 'https://*.googleapis/*/'.
mySite.myCompany.co/:1 Refused to load the stylesheet 'https://fonts.googleapis.com/css?family=Roboto:400,500' because it violates the following Content Security Policy directive: "style-src 'self' 'unsafe-inline'". Note that 'style-src-elem' was not explicitly set, so 'style-src' is used as a fallback.
blazor.server.js:1 [2021-01-26T09:27:01.087Z] Information: Normalizing '_blazor' to 'https://mySite.myCompany.co/_blazor'.
mySite.myCompany.co/:1 Refused to load the script 'https://kit.fontawesome.com/4f9675fbb7.js' because it violates the following Content Security Policy directive: "default-src 'self' data: gap: https://ssl.gstatic.com 'unsafe-eval'". Note that 'script-src-elem' was not explicitly set, so 'default-src' is used as a fallback.
mySite.myCompany.co/:1 Refused to load the stylesheet 'https://fonts.googleapis.com/css?family=Roboto:400,500' because it violates the following Content Security Policy directive: "style-src 'self' 'unsafe-inline'". Note that 'style-src-elem' was not explicitly set, so 'style-src' is used as a fallback.
任何有帮助的指点将不胜感激
- 一个双
default-src指令,第二个将被忽略。 - 在
'unsafe-inline'; https://*.googleapis/*/ https://*.fontawesome.com/*/部分中缺少指令名称,因此浏览器将https://*.googleapis/*/和https://*.fontawesome.com/*/host-sources 视为指令名称。;是指令的分隔符,因此在'unsafe-inline';之后应该跟一个指令名称。 https://*.googleapis/*/和https://*.fontawesome.com/*/语法无效,因为*不允许出现在路径部分或覆盖顶级域区域,请参阅 how to correctly specify host-source.
我不确定 gap: 和 content: 方案源,它们不用于普通 CSP,但它们可能适用于浏览器扩展的 CSP。