内容安全策略拒绝列出白名单

问题描述 投票:1回答:1

我在CSP标题上将youtube API域列入白名单,但它仍然拒绝该脚本。

CSP标题

default-src 'self'; script-src 'self' https://youtube.com/iframe_api s.ytimg.com; style-src 'self' ; img-src 'self' https://i.ytimg.com; font-src 'self'; connect-src 'self'; media-src 'self'; object-src 'none' ; child-src 'none' ; frame-src https://wwww.youtube.com ; worker-src 'self' ; frame-ancestors 'none' ; form-action 'self' ; upgrade-insecure-requests; block-all-mixed-content; disown-opener; sandbox allow-scripts allow-same-origin; reflected-xss block; manifest-src 'self' ; referrer no-referrer;

错误

Refused to load the script 'https://www.youtube.com/iframe_api' because it violates the following Content Security Policy directive: "script-src 'self' https://youtube.com/iframe_api s.ytimg.com".
header content-security-policy
1个回答
0
投票

通过使用strict-dynamic和使用nonce解决了这个问题

© www.soinside.com 2019 - 2024. All rights reserved.