我正在尝试在 nginx 上实现 Content-Security-Policy“frame-ancestors”。我已将标题设置为
add_header 内容安全策略“frame-ancestors 'https://6f4f-213-3-38-224.ngrok.io';”;
但是当我尝试从该站点添加 iframe 时,Chrome 显示以下错误:
拒绝构建“https://sandbox.byproperti.ch/”,因为祖先违反了以下内容安全策略指令:“frame-ancestors 'none'”。
以下是 nginx 的服务器块:
server {
listen 80;
listen [::]:80;
location ~ /\. {
deny all;
access_log off;
log_not_found off;
}
location ~ /log.csv {
deny all;
access_log off;
log_not_found off;
}
root /var/www/sandbox.byproperti.ch/doc/html;
index index.html index.html;
server_name xx.xxx.xxx.xx;
location /doc {
try_files $uri/ @doc;
}
location @doc {
rewrite ^/(doc|keyword)/? /index.html?_route_=$1&$args last;
}
listen 443 ssl;
add_header Content-Security-Policy "frame-ancestors 'https://6f4f-213-3-38-224.ngrok.io';";
ssl_certificate /etc/letsencrypt/live/sandbox.byproperti.ch/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/sandbox.byproperti.ch/privkey.pem;
}
阅读有关框架祖先的文档,请参阅“不允许在主机周围使用单引号。”
https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/frame-ancestors
尝试不使用单引号
add_header Content-Security-Policy "frame-ancestors https://6f4f-213-3-38-224.ngrok.io";
可能是工作