content-security-policy

问题 Using content security policy without style-src 'unsafe-inline' how do you allow styles like this? <span style="font-size: 16px;">Hello</span> I've tried adding a nonce to them and adding that nonce to the CSP header but that doesn't seem to work <span style="font-size: 16px;" nonce="0611873de7e2db5985c289fdfa946caee2ae1860">Hello</span> "style-src 'nonce-0611873de7e2db5985c289fdfa946caee2ae1860' 'self'" Is there any way to do this without adding the 'unsafe-inline' directive?? 回答1: According

问题 I have a gulp task that runs browsersync. var options = { proxy : 'localhost:9000/html' , port : 3000 , files : [ config.root + config.srcPaths.htmlBundle , config.htmlRoot + 'main.css' , '!' + config.htmlRoot + '**/*.scss' ] , injectChanges : false , logFileChanges : true , logPrefix : 'broserSync ->' , notify : true , reloadDelay : 1000 }; browserSync( options ); browsersync detects changes and tries to inject them but chrome blocks it with this error: Refused to connect to 'ws://localhost

问题 I am struggling for some days already with defining my Content-Security-Policy for my Cordova App. My first question is: Do I have to add CSP in Cordova? It seems like Cordova adds meta tag for CSP by default and add Whitelist plugin, requiring to define your CSP for every page. If I have to define: How to properly define directives for my need: I am adding some js files, css files, and have inline js code, as well as styles. I have added this CSP for my page. And it is complaining about

问题 I'm trying to download multiple files in a Chrome extension. The following code creates a dummy link to a file, then triggers the .click() event which downloads the file. The problem is that only the first .click() event triggers a download. Subsequent .click() events are ignored. Here the manifest.json : { "name": "Simple File Downloader", "version": "0.1", "permissions": ["contextMenus", "http://*/"], "background": { "persistent": false, "scripts": ["sample.js"] }, "content_security_policy"

问题 I keep getting this error: Refused to execute inline script because it violates the following Content Security Policy directive: "default-src 'self' data: gap: http://www.visitsingapore.com https://ssl.gstatic.com 'unsafe-eval'". Either the 'unsafe-inline' keyword, a hash ('sha256-V+/U3qbjHKP0SaNQhMwYNm62gfWX4QHwPJ7We1PXokI='), or a nonce ('nonce-...') is required to enable inline execution. Note also that 'script-src' was not explicitly set, so 'default-src' is used as a fallback. Can anyone

问题 Whilst using CSP for a slightly different purpose (sandboxing) I realized that a very simple auto clicked link seems to bypass even relatively strict CSP. What I am describing is the following: Content security policy: default-src 'none'; script-src 'unsafe-inline'; And the body: <a href="http://www.google.com">test</a> <script> document.querySelector("a").click(); </script> Obviously in a real attack you would include the cookie information into the href field first and probably wrap this in

问题 Content Security Policy header directive for Google Re-captcha I have added following directive for google re-captcha but still I am getting error for recaptcha__en.js "script-src 'self' https://www.google.com/recaptcha/ https://www.gstatic.com/recaptcha/ "style-src 'self' https://www.google.com/recaptcha/ https://www.gstatic.com/recaptcha/ tried with nonce "script-src 'self' 'nonce-GoogleRecaptcha' " "style-src 'self' 'nonce-GoogleRecaptcha' " <script src='https://www.google.com/recaptcha

问题 I cannot make base Angular2 (final) application works with the following restrictive CSP. default-src 'none'; script-src 'self'; style-src 'self'; font-src 'self'; img-src 'self' data:; connect-src 'self' There are one unsafe-eval error in lang.js and two in zone.js. Could you provide a solution ? Step to reproduce with Angular CLI I have created a GitHub repository. You can also follow the instructions below. Use the last Angular CLI with webpack 6.0.8 and the new application created with

问题 I'm trying to use MathJax as part of our web application which uses pretty strict Content Security Policy (CSP). The problem is that MathJax is coded to use eval() [to be exact, in form of Function() ] which is not considered safe by default by CSP. I'm using following CSP header currently: X-Content-Security-Policy: allow 'self'; img-src *; media-src *; frame-src *; font-src *; frame-ancestors 'none'; style-src *; report-uri '/:save-csp-violation'; Which causes MathJax 2.0 code to fail

问题 Github has the following Content Security Policy: Content-Security-Policy:default-src *; script-src assets-cdn.github.com www.google-analytics.com collector-cdn.github.com; object-src assets-cdn.github.com; style-src 'self' 'unsafe-inline' 'unsafe-eval' assets-cdn.github.com; img-src 'self' data: assets-cdn.github.com identicons.github.com www.google-analytics.com collector.githubapp.com *.githubusercontent.com *.gravatar.com *.wp.com; media-src 'none'; frame-src 'self' render