content-security-policy

问题 The Content-Security-Policy HTTP header is meant to block inline script and resources from untrusted servers. However, the sample Google Analytics code snippet depends on both. What are the best practices in this area? This is the Content-Security-Policy header that I'm currently using: default-src 'self'; script-src 'self' https://ssl.google-analytics.com; img-src 'self' http://www.google-analytics.com/__utm.gif https://ssl.google-analytics.com/__utm.gif; So far, I've done the following: I

问题 I'm implementing Content Security Policy headers using the following policy Content-Security-Policy: default-src 'self' so will need to avoid inline script because it will not execute. However, in the MVC application certain functionality such as editor templates use inline script. e.g. tinymce_jquery_full.cshtml contains $(function() { $('#@ViewData.TemplateInfo.GetFullHtmlFieldName(string.Empty)').tinymce({ ... What is a good way to include dynamic values in external .js files when using a

问题 I'm making a chrome extension however I seem to get the following error when I try to fire up an onclick() event. Refused to load the script 'https://apis.google.com/js/client.js?onload=handleClientLoad' because it violates the following Content Security Policy directive: "script-src 'self' blob: filesystem: chrome-extension-resource:" and Refused to execute inline event handler because it violates the following Content Security Policy directive: "script-src 'self' blob: filesystem: chrome

问题 I'm training for Cordova application development and I turn around a problem with Content Security Policy. My application is running with the Android emulator, but when I have to execute a javascript I get a message in NetBeans (output window). Refused to execute inline event handler because it violates the following Content Security Policy directive: "script-src 'self' https://ssl.gstatic.com". (22:35:56:126 | error, security) at www/index.html:58 My code is below. This is my index.html. I

问题 Following is my code of HTML Scripts: <script src="http://ajax.googleapis.com/ajax/libs/jquery/1.11.1/jquery.min.js"></script> <script src="background.js"></script> HTML: <button name="btnlogin" id="btnlogin">Login</button><br/><br/> and following is js $(document).ready(function(){ document.getElementById("#btnlogin").click(function(){ alert("s"); }); }); manifest file: { "manifest_version": 2, "name": "One-click Kittens", "description": "This extension demonstrates a 'browser action' with

问题 Small problem with my chrome extension. I just wanted to get a JSON array from another server. But manifest 2 doesn't allow me to do it. I tried specify content_security_policy , but the JSON array is stored on a server without SSL cert. So, what should I do without using manifest 1? 回答1: The CSP cannot cause the problem you've described. It's very likely that you're using JSONP instead of plain JSON. JSONP does not work in Chrome, because JSONP works by inserting a <script> tag in the

问题 I am making a chrome extension that will open all links on a page in new tabs. Here are my code files: manifest.json { "name": "A browser action which changes its icon when clicked.", "version": "1.1", "permissions": [ "tabs", "<all_urls>" ], "browser_action": { "default_title": "links", // optional; shown in tooltip "default_popup": "popup.html" // optional }, "content_scripts": [ { "matches": [ "<all_urls>" ], "js": ["background.js"] } ], "manifest_version": 2 } popup.html <!doctype html>

问题 I'm actually working on my first Chrome Extension and even if it run smooth i got a lot of error from the get() function i'm using to retrieve some data and an annoying error about the security of the code. Here's a screenshot of the console log: Following there's the code involved: popup.html <!doctype html> <html> <head> <title>NGI Little Helper - Subscribes</title> <link rel="stylesheet" href="popup.css"> <!-- JavaScript and HTML must be in separate files for security. --> <script type=

问题 I am using Cordova 5.1.1. I want to call network URL from CordovaWebview in android. My Android OS version is 4.4.2. Here is my code from Android Side. Android content_main.xml file:- <RelativeLayout xmlns:android="http://schemas.android.com/apk/res/android" xmlns:tools="http://schemas.android.com/tools" xmlns:app="http://schemas.android.com/apk/res-auto" android:layout_width="match_parent" android:layout_height="match_parent" android:paddingLeft="@dimen/activity_horizontal_margin" android

问题 In light of change in chrome's content security policy, I have moved all the script in separate files and referencing them in html pages (background and popup) for my chrome extension. But I still get the following message Refused to execute inline script because it violates the following Content Security Policy directive: "script-src 'self' chrome-extension-resource:". This is my background page <html> <head> <script type="text/javascript" src="jquery.js"></script> <script type="text