我的应用程序必须使用Google字体。这里的链接
<link href="https://fonts.googleapis.com/icon?family=Material+Icons" rel="stylesheet" >
<link href="https://fonts.googleapis.com/css?family=Open+Sans:400,600,100|Raleway:400,600,100" rel="stylesheet" >
<link href="https://fonts.googleapis.com/css?family=Roboto&display=swap" rel="stylesheet" >
浏览器由于content security policy
而阻止了该请求。然后,我正在使用Joonasw.AspNetCore.SecurityHeaders。这是我在Startup.cs
public void Configure(IApplicationBuilder app, IWebHostEnvironment env) {
app.UseSerilogRequestLogging();
if (env.IsDevelopment()) {
app.UseDeveloperExceptionPage();
}
else {
app.UseExceptionHandler("/Error");
// The default HSTS value is 30 days. You may want to change this for production scenarios, see https://aka.ms/aspnetcore-hsts.
//app.UseHsts();
}
app.UseHsts(new HstsOptions(TimeSpan.FromDays(30), includeSubDomains: false, preload: false));
// Use certificate pinning with:
// - 30-day caching period
// - One pin in SHA-256 form
// - Report-Only = Invalid certificate should not be reported, but:
// - Report problems to /hpkp-report
app.UseHpkp(hpkp = >{
hpkp.UseMaxAgeSeconds(30 * 24 * 60 * 60).AddSha256Pin("nrmpk4ZI3wbRBmUZIT5aKAgP0LlKHRgfA2Snjzeg9iY=").SetReportOnly().ReportViolationsTo("/hpkp-report");
});
app.UseCsp(csp = >{
// If nothing is mentioned for a resource class, allow from this domain
csp.ByDefaultAllow.FromSelf();
// Allow JavaScript from:
csp.AllowScripts.FromSelf() //This domain
.From("cdnjs.cloudflare.com").AddNonce(); //<----;
// CSS allowed from:
csp.AllowStyles.FromSelf().From("fonts.googleapis.com").From("fonts.gstatic.com").AddNonce(); //<----;
csp.AllowImages.FromSelf();
// HTML5 audio and video elemented sources can be from:
csp.AllowAudioAndVideo.FromNowhere();
// Contained iframes can be sourced from:
csp.AllowFrames.FromNowhere(); //Nowhere, no iframes allowed
// Allow AJAX, WebSocket and EventSource connections to:
csp.AllowConnections.To("ws://localhost:1591").To("http://localhost:1591").ToSelf();
// Allow fonts to be downloaded from:
csp.AllowFonts.FromSelf().From("fonts.googleapis.com").From("fonts.gstatic.com");
// Allow object, embed, and applet sources from:
csp.AllowPlugins.FromNowhere();
// Allow other sites to put this in an iframe?
csp.AllowFraming.FromNowhere(); // Block framing on other sites, equivalent to X-Frame-Options: DENY
//// Do not block violations, only report
//// This is a good idea while testing your CSP
//// Remove it when you know everything will work
//csp.SetReportOnly();
//// Where should the violation reports be sent to?
//csp.ReportViolationsTo("/csp-report");
// Do not include the CSP header for requests to the /api endpoints
csp.OnSendingHeader = context = >{
context.ShouldNotSend = context.HttpContext.Request.Path.StartsWithSegments("/api");
return Task.CompletedTask;
};
});
app.Use((context, next) = >{
context.Request.Scheme = "https";
return next();
});
app.UseCors("api");
app.UseStaticFiles();
app.UseRouting();
app.UseIdentityServer();
app.UseAuthorization();
app.UseEndpoints(endpoints = >{
endpoints.MapDefaultControllerRoute();
});
//app.UseHttpsRedirection();
app.UseSwagger();
app.UseSwaggerUI(c = >{
c.SwaggerEndpoint("/swagger/v1/swagger.json", "API V1");
});
但是仍然显示相同的错误。这里的截图
这里是请求示例,不确定为什么没有在请求上注入安全头
我是否配置错误?使用.net core 3.1
至少对于阻塞的呼叫,您需要为以下字体分别指定允许:
csp.AllowFonts.FromSelf().From("https://fonts.googleapis.com").From("https://fonts.gstatic.com/s/");
也是
csp.AllowStyles.FromSelf().AllowUnsafeInline().From("https://fonts.googleapis.com")
对于样式,您可以使用AllowUnsafeInline()上方显示的样式,如果脚本生成评估错误,则可以尝试.AllowUnsafeEval()