Welcome to OStack Knowledge Sharing Community for programmer and developer-Open, Learning and Share
Welcome To Ask or Share your Answers For Others

Categories

0 votes
424 views
in Technique[技术] by (71.8m points)

javascript - 为什么我的代码违反了内容安全政策?(Why does my code violate the Content Security Policy?)

I want to defer non-critical css using the following mechanism:

(我想使用以下机制延迟非关键的CSS:)

<link rel="preload" href="styles.css" as="style" onload="this.onload=null;this.rel='stylesheet'">

I have the following Content Security Policy:

(我有以下内容安全政策:)

Content-Security-Policy: default-src 'self'; object-src 'none'; font-src 'self'; base-uri 'self'; connect-src 'self'; manifest-src 'self'; img-src 'self'; script-src 'self' 'nonce-7cc36362-697e-4b28-bdd9-0400d8923894' 'sha256-1jAmyYXcRq6zFldLe/GCgIDJBiOONdXjTLgEFMDnDSM='; style-src 'self'; form-action 'self'; frame-ancestors 'none'; media-src 'self'; report-uri /api/cspviolation

When trying to load and interpret the document, the browser blocks the execution of the onload event handler script because it violates the CSP, which I do not understand because the sha256 of that script is set in the script-src directive.

(尝试加载和解释文档时,浏览器会阻止onload事件处理程序脚本的执行,因为它违反了CSP,我不明白,因为该脚本的sha256是在script-src指令中设置的。)

Any ideas?

(有任何想法吗?)

I've used an online sha256 generator generating the the sha256 set in the CSP.

(我使用了在线sha256生成器来生成CSP中的sha256集。)

Sadly Chrome does not provide me the sha256 it wants in the console, which I've seen before.

(遗憾的是,Chrome并没有在控制台中提供我想要的sha256,这是我以前见过的。)

  ask by Stefan Benz translate from so

与恶龙缠斗过久,自身亦成为恶龙;凝视深渊过久,深渊将回以凝视…
Welcome To Ask or Share your Answers For Others

1 Answer

0 votes
by (71.8m points)
等待大神答复

与恶龙缠斗过久,自身亦成为恶龙;凝视深渊过久,深渊将回以凝视…
Welcome to OStack Knowledge Sharing Community for programmer and developer-Open, Learning and Share
Click Here to Ask a Question

...