javascript 如何解决“拒绝加载脚本,因为它违反了以下内容安全策略指令”问题?

bpzcxfmw  于 2023-05-05  发布在  Java
关注(0)|答案(2)|浏览(966)

当我尝试通过chrome://extensions/在Chrome浏览器中测试我的web extension时,我在Chrome浏览器控制台中看到以下错误消息:

Refused to load the script 'https://js.stripe.com/v3/buy-button.js' because it violates the following Content Security Policy directive: "script-src 'self' 'wasm-unsafe-eval' 'inline-speculation-rules' http://localhost:* http://127.0.0.1:*". Note that 'script-src-elem' was not explicitly set, so 'script-src' is used as a fallback.

以下是抛出上述错误消息的客户端js代码:

const basicPlanButton = document.createElement('div');
  basicPlanButton.classList.add('basicPlanButton');
  basicPlanButton.id = 'basicPlanButton';
  basicPlanButton.style.display = 'block';
  basicPlanButton.style.justifyContent = 'center';
  basicPlanButton.style.alignItems = 'center';
  basicPlanButton.style.position = 'absolute';
  basicPlanButton.style.zIndex = '9999';
  basicPlanButton.style.cursor = 'pointer';
  modal.prepend(basicPlanButton);
  
  const stripeScript = document.createElement('script');
  stripeScript.setAttribute('async', '');
  stripeScript.setAttribute('src', 'https://js.stripe.com/v3/buy-button.js');
  basicPlanButton.appendChild(stripeScript);
  
  const stripeBuyButton = document.createElement('stripe-buy-button');
  stripeBuyButton.setAttribute('buy-button-id', 'buy_btnXXXXXXXf');
  stripeBuyButton.setAttribute('publishable-key', 'pk_test_51MyXXXXXXXX9x7SNN');
  basicPlanButton.appendChild(stripeBuyButton);

下面是index.html代码

<!DOCTYPE html>
<html lang="en">
<head>
<meta charset="UTF-8">
<title>QuickDic</title>
<script src="content.js"></script>  
<meta http-equiv="Content-Security-Policy" content="script-src 'self' https://js.stripe.com https://js.stripe.com/v3/;">
</head>
<body>
  
    <script async
    src="https://js.stripe.com/v3/buy-button.js">
    </script>

    <stripe-buy-button
    buy-button-id="buy_btn_1NXXXXXXXXXXXXX"
    publishable-key="pk_test_51XXXXXXXXXXXXXX">
    </stripe-buy-button>
</body>
</html>

下面是我的manifest.json文件:

{
  "manifest_version": 3,
  "name": "Name AI",
  "version": "1.0.0",
  "permissions": [
    "storage",
    "http://localhost:5000/*",
    "activeTab"
  ],
  "host_permissions": [
    "https://js.stripe.com/",
    "https://js.stripe.com/v3/buy-button.js"
],
  "web_accessible_resources": [
    {
      "resources": [ "image/*.gif", "image/*.png", "https://js.stripe.com/v3/buy-button.js"],
      "matches": [ "<all_urls>" ]

    }
  ], 
  "description": "Quickly Access AI",
  "content_scripts": [
      {
        "matches": ["<all_urls>"],
        "js": ["content.js"],
        "run_at": "document_end"        
      }
  ],
  "action": {
    "default_popup": "index.html"
  },
  "icons": {
    "48": "icon-48.png",
    "128": "icon-128.png"
  }
}
pod7payv

pod7payv1#

您的index.html的 meta标记中CSP的script-src指令与错误消息中给出的指令不匹配。这意味着定义了多个CSP,并且所有内容都需要通过所有策略。
首先查看响应头,以查看其中设置了哪些CSP。如果它们是由你控制的东西设置的,你应该修改script-src以允许js.stripe.com。如果它们是由其他人设置的,您唯一的选择可能是通过代理请求来删除它。

fv2wmkja

fv2wmkja2#

您需要修改您现有manifest.json文件中的json属性web_accessible_resources
就像下面这样:

"web_accessible_resources": [
    "https://js.stripe.com/v3/buy-button.js"
],

并且还需要从 meta标记中删除'unsafe-inline'和'unsafe-eval'值
像下面这样修改的 meta标签:

<meta http-equiv="Content-Security-Policy" content="script-src 'self' https://js.stripe.com https://js.stripe.com/v3/;">

相关问题