问题
Please I need assistance here. I have a form to submit to another url but when I try to submit it, it refuses to submit and checking my console.
On Chrome, I see the following errors
resources2.aspx?HCCID=75694719&culture=en-US&mlcv=3006&template=5:7 Refused to load the image 'https://s4.mylivechat.com/livechat2/images/sprite.png' because it violates the following Content Security Policy directive: "img-src 'self' data:".
Refused to send form data to 'https://cipg.stanbicibtcbank.com/MerchantServices/MakePayment.aspx' because it violates the following Content Security Policy directive: "form-action 'self'".
and on Mozilla Firefox I see the following:
Content Security Policy: The page’s settings blocked the loading of a resource at https://s4.mylivechat.com/livechat2/images/sprite.png (“img-src http://smehelp.themarketplace.ng data:”)
Content Security Policy: The page’s settings blocked the loading of a resource at http://smehelp.themarketplace.ng/purchase/summary (“form-action 'self'”).
Checking around the web for solution, I have added the following to my page header
<meta http-equiv="Content-Security-Policy" content="form-action 'self'">
but the problem still persists.
This results to the fact that I am not able to submit my forms. The forms used to submit earlier but I just tried it today and obseerved this error.
I am running on Google Chrome Version 55.0.2883.95 (64-bit) on a MAC OS.
I will appreciate any suggestion to solve this issue as soon as possible.
Thank you
回答1:
You are passing the Content-Security-Policy value in your response header:
base-uri 'none'; default-src 'self' https://s4.mylivechat.com; child-src 'none'; connect-src 'self'; font-src 'self' https://fonts.googleapis.com https://maxcdn.bootstrapcdn.com https://fonts.gstatic.com; form-action 'self'; frame-ancestors 'none'; img-src 'self' data:; media-src 'self'; object-src 'none'; script-src 'self' https://www.youtube.com https://maps.google.com https://www.google-analytics.com https://mylivechat.com https://s4.mylivechat.com https://maps.googleapis.com 'unsafe-inline' 'unsafe-eval'; style-src 'self' https://fonts.googleapis.com https://s4.mylivechat.com https://maxcdn.bootstrapcdn.com 'unsafe-inline'
The content security policy that you've added to the page meta will be ignored as this is present in the response header.
You will need to make the following additions (in bold) to your CSP that you are sending in your response header.
base-uri 'none'; default-src 'self' https://s4.mylivechat.com; child-src 'none'; connect-src 'self'; font-src 'self' https://fonts.googleapis.com https://maxcdn.bootstrapcdn.com https://fonts.gstatic.com; form-action 'self' https://cipg.stanbicibtcbank.com/MerchantServices/MakePayment.aspx; frame-ancestors 'none'; img-src 'self' data: https://s4.mylivechat.com; media-src 'self'; object-src 'none'; script-src 'self' https://www.youtube.com https://maps.google.com https://www.google-analytics.com https://mylivechat.com https://s4.mylivechat.com https://maps.googleapis.com 'unsafe-inline' 'unsafe-eval'; style-src 'self' https://fonts.googleapis.com https://s4.mylivechat.com https://maxcdn.bootstrapcdn.com 'unsafe-inline';
- Add https://s4.mylivechat.com to img-src
- Add https://cipg.stanbicibtcbank.com/MerchantServices/MakePayment.aspx to form-action
- Remove
<meta http-equiv="Content-Security-Policy" content="form-action 'self'">from your HTML code
来源:https://stackoverflow.com/questions/41942834/content-security-policy-not-allowing-form-submission