我的 netlify 应用程序遇到有关 CSP 规则的问题。
我正在尝试在我的网站上使用 tailwind 的 CDN,在开发中它工作正常,但当我部署到 netlify 时,它说 CDN 已被 CSP 策略阻止。
我已经在
_headers
文件上有了 CDN URL,但它根本没有任何区别。
这就是我设置我的
_headers
文件的方式:
/*
Strict-Transport-Security: max-age=63072000; includeSubdomains; preload
Content-Security-Policy: default-src https: 'self' *.netlify.app; connect-src 'self' 'unsafe-inline' https://accounts.google.com/gsi/* https://google.com/pagead/* https://google.com/ccm/* https:// bat.bing.com/* https://google.com/* https://app-cdn.clickup.com/* https://forms.clickup.com/* *.clarity.ms *.googleadservices.com *.bing.com connect.facebook.net *.facebook.net snap.licdn.com *.ads.linkedin.com *.adsymptotic.com https://cdn.tailwindcss.com/cdn.linkedin.oribi.io * .facebook.com analytics.google.com *.google-analytics.com *.analytics.google.com *.googletagmanager.com *.g.doubleclick.net *.google.com *.google.com.br gap: ws :* *.fontawesome.com *.w3.org cdnjs.cloudflare.com *.cloudfront.net *.amazonaws.com *.ampproject.org bat.bing.com; font-src 'self' fonts.gstatic.com cdnjs.cloudflare.com *.cloudflare.com; frame-src https://accounts.google.com/gsi/ *.google.com *.facebook.com *.bing.com *.youtube.com *.instagram.com; img-src 'self' data: blob: *.facebook.com *.clarity.ms *.linkedin.com *.bing.com snap.licdn.com *. ads.linkedin.com *.adsymptotic.com *.amazonaws.com *.w3.org *.cloudfront.net i.ytimg.com *.google-analytics.com *.analytics.google. with *.googletagmanager.com *.g.doubleclick.net *.google.com *.google.com.br; script-src https://accounts.google.com/gsi/client https://bat.bing.com/ https://google.com/pagead https://google.com/ccm https: 'self' ' unsafe-inline' 'unsafe-eval' *.google.com google.com *.cloudfront.net snap.licdn.com analytics.google.com *.bing.com 'unsafe-inline ' https://www.googletagmanager.com; style-src https://accounts.google.com/gsi/style https://cdn.tailwindcss.com/ https: 'self' 'unsafe-inline' frame-ancestors 'self';
Permissions-Policy: accelerometer=(), autoplay=(), camera=(), encrypted-media=(), fullscreen=(self), geolocation=*, gyroscope=(), magnetometer=(), microphone=() , midi=(), payment=(), picture-in-picture=(), sync-xhr=(), usb=()
X-Content-Type-Options: nosniff
X-XSS-Protection: 1; mode=block
Set-Cookie: HttpOnly; Secure; SameSite=Strict;
错误是:
Refused to connect to 'https://cdn.tailwindcss.com/' because it violates the following Content Security Policy directive: "connect-src 'self' 'unsafe-inline' ...
在 connect-src 指令中,您列出了“https://cdn.tailwindcss.com/cdn.linkedin.oribi.io”,这意味着 cdn.tailwindcss.com 仅限于路径 /cdn.linkedin.oribi.io 。它可能应该是“https://cdn.tailwind.css.com/ https://cdn.linkedin.oribi.io/”,或者只是不带方案和斜杠的主机名。