content-security-policy

问题 I am getting the following error in my Angular/Play/Bootstrap application. But I have not added any code which explicitly adds font from the web. How could I find out from where the browser is trying to download the font and from where in the code it is being downloaded? Refused to load the font 'data:font/woff;base64,d09GRgABAAAAAGVUABEAAAAAxuQAAQABAAAAAAAAAAAAAAAAAAAAAAAAAABHREVGAAABgAAAAC4AAAA0ArgC7UdQT1MAAAGwAAAQ6AAALgxKsqRTR1NVQgAAEpgAAAH3AAAELqI5y

问题 Part of the new Web Components spec is Shadow DOM - a way of embedding <style> and <script> resources with the component HTML itself. As I understand the spec the Shadow DOM mimics how many existing controls already exist in most of the browsers - for instance a browser's native video player will have buttons and styles internally that are part of the control's DOM. However, this appears to clash with Content Security Policy which disables eval and inline scripting. A simple example (which

问题 As far as I understand, CSP can be used for all the same things as X-XSS-Protection and more. If you are using CSP, is there any good reason to use X-XSS-Protection as well? 回答1: is there any good reason to use X-XSS-Protection as well? With some doubts (see Kevin's comment below) the answer is probably yes. X-Xss-Protection activates a heuristic, reflected xss detection feature. Reflected xss comes in the form of parameters, which makes it easy to determine the scope of the potential attack.

问题 I have a webpage (say origin=A) that has an iframe embedded in it which loads from a different domain (say B). B loads bunch scripts from different domains (various CDNs). My webpage A sets pretty strict CSP like: default-src 'none'; script-src 'self'; frame-src B B doesn't set any CSP headers. Now I would expect the child frame, B, to inherit the CSP rules of A and trying to access various CDNs should be a violation of its CSP because of script-src 'self' but to my surprise, it works

问题 I am making a Firefox add-on. It needs to 1) Read the webpage 2) Based on that, send information in a POST to my site, 3) Display a text based on what my site returns. I cannot get this to work on Facebook.com and I believe that it is due to Facebook's restrictive Content-security-policy. I cannot get the add-on content_script to send a POST. I have tried: var url = 'https://mysite.com'; var request = new XMLHttpRequest(); request.open("POST", url, true); request.onload = function () { alert(

问题 I'm using the code below in my htaccess but for some reason I'm getting an error message in the console. Any idea what the issue is? Thanks, <IfModule mod_headers.c> Header set Content-Security-Policy "script-src 'self' https://maxcdn.bootstrapcdn.com/ https://oss.maxcdn.com/ https://cdnjs.cloudflare.com https://ajax.googleapis.com https://maps.googleapis.com https://fonts.googleapis.com/ https://www.facebook.com/ https://www.facebook.net/ https://connect.facebook.net https://connect.facebook

问题 I am trying to write a simple NodeJS HTTPS web server using HTTPS and Express that has a configurable Content-Security-Policy. I try to set the Content-Security-Policy header attribute in the server response object, but always just sends "default-src 'self'". it appears that the HTTPS module overwrites whatever I specify. I have also tried using the helmet-csp npm package with no success either. Here's my code snippet: var app = express(); var sslOptions = { cert: fs.readFileSync(ourPath + "

问题 I have a built a Music Player Component with ember consuming the SoundCloud Api Suddenly in Chrome i start getting this error notification in my console anytime i play a song in my application plus the songs does not play. See the error Report Only] Refused to connect to 'https://ec-media.sndcdn.com/YEqcIen0Pkq6.128.mp3?f10880d39085a94a0418a7ef69…fe493d321fb2a6a96186dcb97beab08f3cea5ad8b42d543c3edc7371f0eb5b2b00ba96395e' because it violates the following Content Security Policy directive:

问题 My app does not display camera images, instead it shows broken image, but for other images (screenshots ...) I don't face this problem. here is the error shown : Refused to load the image because it violates the following Content Security Policy directive: "default-src *". Note that 'img-src' was not explicitly set, so 'default-src' is used as a fallback. this happens only for the camera images. any help ? 回答1: Have you tried adding this line : <meta http-equiv="Content-Security-Policy"

问题 I have an application siteA.com that is loaded in an iframe inside siteB.com. No warning loading directly siteA.com but getting Unrecognized Content-Security-Policy directive 'frame-ancestors' when is inside an iframe in siteB.com; this only in Safari. All these changes were made in siteA.com Meta Tag with no luck <meta http-equiv="Content-Security-Policy" content="frame-ancestors siteB.com"> What headers should I add to siteA.com to allow Content-Security-Policy directive frame-ancestors?