inline-scripting

Why does my code violate the Content Security Policy?

生来就可爱ヽ(ⅴ<●) 提交于 2020-07-10 09:58:25
问题 I want to defer non-critical css using the following mechanism: <link rel="preload" href="styles.css" as="style" onload="this.onload=null;this.rel='stylesheet'"> I have the following Content Security Policy: Content-Security-Policy: default-src 'self'; object-src 'none'; font-src 'self'; base-uri 'self'; connect-src 'self'; manifest-src 'self'; img-src 'self'; script-src 'self' 'nonce-7cc36362-697e-4b28-bdd9-0400d8923894' 'sha256-1jAmyYXcRq6zFldLe/GCgIDJBiOONdXjTLgEFMDnDSM='; style-src 'self'

Why does my code violate the Content Security Policy?

会有一股神秘感。 提交于 2020-07-10 09:58:17
问题 I want to defer non-critical css using the following mechanism: <link rel="preload" href="styles.css" as="style" onload="this.onload=null;this.rel='stylesheet'"> I have the following Content Security Policy: Content-Security-Policy: default-src 'self'; object-src 'none'; font-src 'self'; base-uri 'self'; connect-src 'self'; manifest-src 'self'; img-src 'self'; script-src 'self' 'nonce-7cc36362-697e-4b28-bdd9-0400d8923894' 'sha256-1jAmyYXcRq6zFldLe/GCgIDJBiOONdXjTLgEFMDnDSM='; style-src 'self'

What if script tag has both “src” and inline script? [duplicate]

强颜欢笑 提交于 2019-12-17 07:39:59
问题 This question already has answers here : JavaScript: Inline Script with SRC Attribute? (3 answers) Closed last year . I am wondering what if one script tag has both "src" and inline script. I tried below code. <script src="http://yui.yahooapis.com/2.8.1/build/yahoo/yahoo-min.js" type="text/javascript" charset="utf-8"> alert('hello'); </script> <script type="text/javascript" charset="utf-8"> alert(YAHOO); </script> It the "alert('hello')" seems never executed in Firefox and Chrome. I tried to

Mitmproxy tampering GET and POST request/response in one script

风流意气都作罢 提交于 2019-12-01 08:24:26
A POST request to a certain url( http://test.com ) is like: { "messageType": "OK", "city": { "Name": "Paris", "Views": { "1231": { "id": 4234, "enableView": false }, }, "Views": [5447, 8457], "messages": [{ "id": "message_6443", "eTag": 756754338 }] }, "client": { "Id": 53, "email": "test@test.us", "firstName": "test", "lastName": "test", "id": 52352352, "uuid": "5631f-grdeh4", "isAdmin": false, I need to intercept that and change "isAdmin" to true. And a GET request to a certain url ( https://test.com/profiles/ {Random_Numbers}/id}) has a 'response' [decoded gzip] JSON { "id": 0, "Code":

Mitmproxy tampering GET and POST request/response in one script

懵懂的女人 提交于 2019-12-01 06:33:39
问题 A POST request to a certain url(http://test.com) is like: { "messageType": "OK", "city": { "Name": "Paris", "Views": { "1231": { "id": 4234, "enableView": false }, }, "Views": [5447, 8457], "messages": [{ "id": "message_6443", "eTag": 756754338 }] }, "client": { "Id": 53, "email": "test@test.us", "firstName": "test", "lastName": "test", "id": 52352352, "uuid": "5631f-grdeh4", "isAdmin": false, I need to intercept that and change "isAdmin" to true. And a GET request to a certain url (https:/

What if script tag has both “src” and inline script? [duplicate]

与世无争的帅哥 提交于 2019-11-27 05:16:42
This question already has an answer here: JavaScript: Inline Script with SRC Attribute? 3 answers I am wondering what if one script tag has both "src" and inline script. I tried below code. <script src="http://yui.yahooapis.com/2.8.1/build/yahoo/yahoo-min.js" type="text/javascript" charset="utf-8"> alert('hello'); </script> <script type="text/javascript" charset="utf-8"> alert(YAHOO); </script> It the "alert('hello')" seems never executed in Firefox and Chrome. I tried to change the src to point to non-existent URI. The "alert('hello')" is also not executed. So, inline script is always ignored
订阅 inline-scripting