content-security-policy

问题 I am trying to load some css and scripts via some CDNs to improve loading times but I am getting a content security policy issue, but after a fair amount of time reading up on it and trying out different polices it is still giving my the same error. Currently my policy looks like this - <meta http-equiv="Content-Security-Policy" content="default-src 'self' https://code.jquery.com/ https://cdnjs.cloudflare.com/ https://maxcdn.bootstrapcdn.com/"> which from my understanding should mean I can

问题 Is it possible prevent inline JavaScript on Internet Explorer 11 using CSP on ASP.NET WebForm? I know IE 11 does not support Content Security Policy Level 2 but it seen that support Level 1.0. I tried many way and there is not a clear answer out there. I tried: Response.AddHeader("X-Content-Security-Policy", "script-src 'none'"); Response.AddHeader("X-Content-Security-Policy","script-src 'self'"); Response.AddHeader("Content-Security-Policy", "script-src 'self'"); it's not working. Thanks!

问题 Here is my meta tag : <meta http-equiv="Content-Security-Policy" content="default-src * 'self' data: gap: https://ssl.gstatic.com 'unsafe-eval'; style-src http://* 'self' 'unsafe-inline'; media-src *"> I am using this meta tag to call server's socket.io.js file on port like : <script src="https://example.co:3344/socket.io/socket.io.js"></script> This is for WebRTC (rtcmulticonnection), so my stream event triggered and stream create a media : rtcMultiConnection.onstream = function(event) { if

问题 I am using the following Content Security Policy in Report-Only mode: Content-Security-Policy-Report-Only "default-src 'self'; report-uri /log_violations" When I go to a URL on the server with an HTML page containing the following: <!DOCTYPE html> <head> <title> Test document </title> </head> <html> <body> Hello </body> </html> I am seeing the following error message in Firefox 57.0 on line 1: Content Security Policy: The page’s settings observed the loading of a resource at self (“default

问题 In a jekyll website, I added a plugin (http://flexslider.woothemes.com/), everything is working fine upto Edge16 & below browsers, however, in Edge17, I see the console message: SEC7136: [Integrity] The origin '[insert url]' failed an integrity check for a style resource at '[url]' What is this error about? And how is the offending file, in this case, a CSS file, causing an integrity issue in Edge17 & not the previous version? Thanks 回答1: This is a known bug in 1803 Win10 release. You are

问题 I have an angular application, that communicates with, depending on the setup, a REST API on Tomcat or a REST API on a Jetty. The angular-app itself is hosted on the same tomcat/jetty as a war. The Tomcat setup might have an Apache in front (depending on the client) The application needs to use base64 images (loaded trough css), but right now, if it's hosted on a server I get the following error: Refused to load the image 'data:image/png;base64,...' because it violates the following Content

问题 I add Content-Security-Policy its work fine with Chrome, Firefox and Opera but with Internet Explorer 11 i have this error "This page can’t be displayed" add_header Content-Security-Policy "connect-src 'self' wss://example.com/ws/; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://www.google-analytics.com https://www.google.com https://www.gstatic.com/recaptcha/api2/recaptcha__en.js https://ajax.cloudflare.com/cdn-cgi/nexp/cloudflare.min.js; frame-src 'self' https://www.terminal.com

问题 I have defined my security policy as: default-src 'self'; script-src 'self'; frame-src 'self'; style-src 'self' 'unsafe-inline'; (I still have CSS at the head of several pages). I have no trouble with Firefox or Chrome (IE doesn't support CSP yet) but, when I try testing in Safari, I get a string of errors like: Refused to load style from 'http://localhost/styles/alliance.css' because of Content-Security-Policy. . . . Refused to load image from 'http://localhost/images/Landing1.jpg' because

问题 When I'm working with developing a website, I often would like to see how a specific feature would look on a website. So I go to the chrome developer tools and often run some javascript scripts. I often find the issue that some scripts can not run because of the Content Security Policy (CSP), which I completely understand for purposes of protecting against cross site scripting. QUESTION: Since I am testing features with the developers console on a page that is loaded for me on my browser

问题 I turned on Content Security Policy on my server with this command in my Apache2-configuration: Header set Content-Security-Policy-Report-Only "default-src 'self'" (I set it to ...-Report-Only to only report errors, without really blocking something while developing.) This setting produces an error that I don't understand. But I can reproduce it: This is the simplified html-code: <!DOCTYPE HTML> <html lang="en"> <head> <script src="/js/test.js"></script> <title>test</title> </head> <body><