我想测试调用第三方脚本的本地脚本(测试 SAAS 应用程序)。但是,由于我的域不在指令中,我被 CSP 策略阻止了。
CSP 由带有
http-equiv="Content-Security-Policy"
的元 HTML 标签设置
我如何绕过这些政策。我尝试了多个扩展并失败了。
元标记示例
<meta http-equiv="Content-Security-Policy" content="
script-src 'self' 'unsafe-eval' 'unsafe-inline' *.braintreegateway.com *.paypalobjects.com *.paypal.com *.googlecommerce.com https://*.screenpopper.com screenpopper.com
*.google.com *.facebook.com *.facebook.net *.bing.com *.criteo.net *.google-analytics.com https://*.acsbap.com
*.doubleclick.net *.criteo.com *.nr-data.net https://cdn.ywxi.net *.mcafeesecure.com *.googleapis.com *.klevu.com https://static.klaviyo.com/ https://static-tracking.klaviyo.com/ https://*.gorgias.chat/ https://polyfill.io/
*.gstatic.com *.youtube.com *.emailage.com *.googleadservices.com *.googletagmanager.com *.oraclecloud.com
*.trustlogo.com *.trustedsite.com https://www.clickcease.com
secure.comodo.com *.criteo.com *.bbb.org *.newrelic.com *.callrail.com https://www.google.com/recaptcha/ https://www.gstatic.com/recaptcha/
https://*.amazon.com https://static-na.payments-amazon.com https://*.amazonpay.com *.rtb123.com
https://*.cloudfront.net https://widget.trustpilot.com https://*.getbread.com https://*.digicert.com https://*.inspectlet.com https://*.fontawesome.com;
form-action 'self' *.paypal.com sandbox.paypal.com https://*.amazon.com https://cdn.ywxi.net *.facebook.com;
frame-src 'self' *.google.com https://*.accessibe.com *.facebook.com *.paypalobjects.com https://acsbapp.com https://*.acsbapp.com https://acsbap.com https://player.vimeo.com/ *.braintreegateway.com
https://widget.trustpilot.com https://*.paypal.com/ *.trustedsite.com https://cdn.ywxi.net https://bid.g.doubleclick.net
https://www.sandbox.paypal.com/ https://www.youtube.com/ *.amazon.com *.getbread.com *.payments-amazon.com ;">
内容安全策略是一种不能被绕过的安全机制。添加另一个策略只会使整体强制执行的策略更加严格。您可能需要重写内容,例如通过代理或检查是否可以在浏览器中禁用 CSP 执行。