content-security-policy

问题 I have a meta tag with the following directive inside of it: <meta http-equiv="Content-Security-Policy" content="base-uri 'self'; script-src 'self' 'sha256-s5EeESrvuQPpk2bpz5I3zn/R8Au2DYB1Z+YUH9p0fUE=' 'sha256-PYYfGnkbZ44B9ZBpgv8NbP3MXT560LMfrDSas2BveJo=';"> I then have 2 inline scripts further down the page, each which should match one of the generated shas in the policy. In Chrome and Firefox, I get no complaints and my scripts run as expected. In Safari Version 11.0.3 (13604.5.6), I get

问题 I have a selenium test developed in Selenium IDE . I have a step in this suite that should type a value in a text field. It fails at that step giving the following error: 18. click on id=firstName Failed:11:12:59 call to eval() blocked by CSP 回答1: CSP Content Security Policy (CSP) acts as a added layer of security that helps to detect and mitigate attacks including Cross Site Scripting (XSS) and data injection attacks. These attacks are primarily used for data theft and distribution of

问题 I'm at least 90% sure that the following is a result of Chrome's implementation of W3C's CSP standard, but I thought that it'd be best to double down and make sure. I'm currently in the process of implementing a strict content security policy for a client, and I've run into the following policy directive complications on Chrome 66: Unrecognized Content-Security-Policy directive 'disown-opener'. Unrecognized Content-Security-Policy directive 'reflected-xss'. Unrecognized Content-Security

问题 I am trying to embed a youtube video in my page and see an error like this in the console: Refused to frame 'https://www.youtube.com/embed/<~videoId~>?showinfo=0' because it violates the following Content Security Policy directive: "default-src 'self'". Note that 'frame-src' was not explicitly set, so 'default-src' is used as a fallback. This seems clear enough, so after a bit of reading I found two ways of setting an appropriate content security policy. by setting a response header (which I

问题 I am getting an error as captured in the screenshot below: It reads: Refused to evaluate a string as JavaScript because 'unsafe-eval' is not an allowed source of script in the following Content Security Policy directive: "default-src file: data: chrome-extension: https://ssl.gstatic.com". Note that 'script-src' was not explicitly set, so 'default-src' is used as a fallback. What am I doing wrong and how can I resolve the Content-Security-Policy error? Below is my meta-tag in, in my index.html

问题 i'am wondering about the quote from the specification: (https://dvcs.w3.org/hg/content-security-policy/raw-file/tip/csp-specification.dev.html) To reap the greatest benefit, authors will need to move all inline script and style out-of-line, for example into external scripts, because the user agent cannot determine whether an inline script was injected by an attacker. Sourcing out all inline-script is a time heavy task. My question is from the security point of view. Do you really get any

问题 Gmail just updated its Content Security Policy: http://googleonlinesecurity.blogspot.com/2014/12/reject-unexpected-content-security.html This is throwing an error for my Chrome extension, which augments gmail. To be clear, my content script is loading another script that is hosted on my server. This allows for rapid deployment. Refused to load the script 'https://<domain-path>.js?' because it violates the following Content Security Policy directive: "script-src 'self' 'unsafe-inline' 'unsafe

问题 Has any one been able to make a Chrome extension using GWT and manifest_version 2? I have sandboxed all the GWT generated files also (as suggested here) but it still does not work. manifest.json { "name": "Hello World!", "description": "My first packaged app.", "manifest_version": 2, "version": "0.1", "app": { "background": { "scripts": ["background.js"] } }, "permissions": ["experimental", "appWindow"], "icons": { "16": "calculator-16.png", "128": "calculator-128.png" } } background.js

问题 My https://my-site.com site has some html like the following: <video src="blob:https://my-site.com/{some-guid}"></video> In console, I get this error: Refused to load media from 'blob:https://my-site.com/{some-guid}' because it violates the following Content Security Policy directive: "media-src *". In my head I have this: <meta http-equiv="Content-Security-Policy" content="media-src * blob:" /> What am I missing? I've even tried the "catch all" (not super safe) value of default-src * 'unsafe

问题 My https://my-site.com site has some html like the following: <video src="blob:https://my-site.com/{some-guid}"></video> In console, I get this error: Refused to load media from 'blob:https://my-site.com/{some-guid}' because it violates the following Content Security Policy directive: "media-src *". In my head I have this: <meta http-equiv="Content-Security-Policy" content="media-src * blob:" /> What am I missing? I've even tried the "catch all" (not super safe) value of default-src * 'unsafe