我需要为客户实施内容安全策略。
一切都很好,除了JS脚本。我需要允许外部JS脚本。
在我的vhost apache中的代码:
Header set X-Content-Type-Options: "nosniff"Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"Header set Content-Security-Policy "default-src 'self' https:// multiple domains ; img-src 'self' www.googletagmanager.com ; style-src 'self' 'unsafe-inline' ; script-src * 'self' 'unsafe-inline'; connect-src 'self' https://www.google-analytics.com https://www.googletagmanager.com/gtag/js ; object-src 'self'; form-action 'self' "Header set X-Frame-Options: "sameorigin"Header set X-XSS-Protection "1; mode=block"Options FollowSymLinks MultiViewsAllowOverride All
我补充说:
script-src * 'self' 'unsafe-inline';
但是,我仍然得到一个错误消息:
Refused to evaluate a string as JavaScript because 'unsafe-eval' is not an allowed source of script in the following Content Security Policy directive: "script-src 'self'.
该怎么办呢?
Thanks in advance
1条答案
按热度按时间f45qwnt81#
你基本上有两个选择:
1.良好和安全的选择:如此处所述重写eval语句https://web.dev/csp/#eval-too
1.坏的和usafe选项:将'unsafe-eval'添加到script-src