问题
I have the following Content Security Policy
value="default-src 'self'
style-src 'self' 'unsafe-inline';
script-src 'self' 'unsafe-inline' 'unsafe-eval' http://svc.webspellchecker.net;
img-src 'self' data: https://s3.amazonaws.com;
frame-src 'self' *.salesforce.com *.force.com;"
This works fine in Chrome and Firefox. In Edge it is not running because we have some inline scripts (ie onClick="foo()).
My understanding is the the default-src sets the defaults and the script-src should override those defaults.
Does anyone know if this is a bug in Edge, or if I've botched it in some way?
回答1:
Turns out the problem was that though that is the way our CSP looks in our web.test.config, the transform puts the following into the web.config
value="default-src 'self'
 style-src 'self' 'unsafe-inline'; 

script-src 'self' 'unsafe-inline' 'unsafe-eval' http://svc.webspellchecker.net; 
 img-src 'self' data: https://s3.amazonaws.com;
 frame-src 'self' *.salesforce.com *.force.com;"
Basically the XDT replaces the CRLFs in the value with , which causes Edge to give up on processing the CSP so you only get the first line.
Bug submitted. https://connect.microsoft.com/IE/feedbackdetail/view/2272282/edge-stops-processing-content-security-policy-on-xd-xa
来源:https://stackoverflow.com/questions/34954042/edge-ignores-script-src-in-content-security-policy