content-security-policy

问题 I'm using Uploadcare to upload images and files in my application and am also using the browser-policy package for content security. I noticed recently that the camera upload feature was not working and couldn't figure out how to allow it. Refused to load media from 'blob:http%3A//localhost%3A3000/e44633a7-227f-40e2-a3bd-9efd211f677d' because it violates the following Content Security Policy directive: "default-src 'self' (My Allowed Origins ...) ". Note that 'media-src' was not explicitly

问题 I have the following Content Security Policy value="default-src 'self' style-src 'self' 'unsafe-inline'; script-src 'self' 'unsafe-inline' 'unsafe-eval' http://svc.webspellchecker.net; img-src 'self' data: https://s3.amazonaws.com; frame-src 'self' *.salesforce.com *.force.com;" This works fine in Chrome and Firefox. In Edge it is not running because we have some inline scripts (ie onClick="foo() ). My understanding is the the default-src sets the defaults and the script-src should override

问题 I get the following error when I try to load the website I am creating Refused to load the image 'http://167.71.89.74/favicon.ico' because it violates the following Content Security Policy directive: "default-src 'none'". Note that 'img-src' was not explicitly set, so 'default-src' is used as a fallback. It looks like my attempts to fix the error change the X-Content-Security-Policy, but not the Content-Security-Policy. I am using a simple Express server to load the page requests. I found

问题 I'm securing my page using a csp headers. I set both X-Content-Security-Policy and X-Webkit-CSP . to the following value: default-src 'self'; object-src 'none'; frame-src 'self' *.youtube.com; style-src 'self' https://ajax.googleapis.com; script-src 'self' https://ajax.googleapis.com; report-uri /csp_report Everything loads fine, but I get tHe following error in chrome. I have yet to test it in other browsers. Refused to apply inline style because it violates the following Content Security

问题 New to Content Security Policy stuff so not sure if this is possible or not, but wondering how to add a hash or nonce for some inline script within a HTML element's attribute. For example: <form method="post" onsubmit="function();"> Gives me the following CSP error in Google Chrome: Refused to execute inline event handler because it violates the following Content Security Policy directive: "script-src 'self'. Either the 'unsafe-inline' keyword, a hash ('sha256-...'), or a nonce ('nonce-...')

问题 Building an hybrid app with the Ionic framework, I need to embed to one of my page an Iframe. My problem is that the page loaded with the iframe does have the following CSP: "frame-ancestors http://foo.somedomain.com" Which works just fine on my browser. However whenever I try this on the application itself the content is not loaded due to: Refused to display 'http://foo.somedomain.com' in a frame because an ancestor violates the following Content Security Policy directive "frame-ancestors

问题 Trying to load different contents(can be pdf, swf etc.) in an 'iframe' through javascript in an chrome extension application. The content is loaded using the data URL scheme as : // this javascript is registered in the html file and the LoadFunction is registered inside the DOMContentLoaded event on the click of a button. void LoadFunction() { window.parent.document.getElementById("page_data").src = 'data:application/pdf;base64,' + 'base64 encoded data'; (base64 data is received from a c++

问题 My CSP report URI has received the following CSP violation: { "csp-report":{ "document-uri":"https://example.com/blog/somepage", "referrer":"", "violated-directive":"img-src 'self' data: p.typekit.net pbs.twimg.com platform.twitter.com q.stripe.com syndication.twitter.com", "effective-directive":"img-src", "original-policy": veryLongPolicyGoesHere, "blocked-uri":"about", "status-code":0 } } Why would I get a CSP violation for the blocked-uri 'about'? Is this the inbuilt about: URL from web

问题 I want to use secure binding with knockout. to do so I use knockout-secure-binding.js. Who could explain why the following code does not work? it throws an error ` Uncaught #< Object > knockout-secure-binding.js:74` after the line ko.applyBindings(new viewModel()); <html> <head> <title></title> <script src="scripts/knockout-3.0.0-min.js"></script> <script src="knockout-secure-binding-master/dist/knockout-secure-binding.js"></script> </head> <body> <button type="button" data-sbind="sbtnClick"

问题 The Chrome API's Manifest version 2 has removed the ability to do unsafe-eval. This means using the eval function or in general dynamically creating a function from text. It seems like most if not all Javascript Templating Engines do this. I was using Jaml, but I tried several others like backbone.js (which really uses underscore.js's templating engine) with no luck. This comment on the Chromium project seems to indicate that there are a great many libraries that suffer from this. I think