admin 管理员组文章数量: 1086019
I am following Google's strict CSP policy for my CSP header, and I am properly adding the nonce, however I keep getting this error in the browser for my scripts:
Refused to load the script 'http://localhost:8080/client/dist/inline.6e0c61259742e86be1dd.bundle.js' because it violates the following Content Security Policy directive: "script-src nonce-XVlBzgbaiCMRAjWwhTHctcuAxhxKQFDaFpLSjFbcXoEFfRsWxP 'unsafe-inline' 'unsafe-eval' 'strict-dynamic' https: http:". 'strict-dynamic' is present, so host-based whitelisting is disabled.
As you can see, the nonce matches the nonce in the script:
<script type="text/javascript" src="/client/dist/inline.6e0c61259742e86be1dd.bundle.js" nonce="XVlBzgbaiCMRAjWwhTHctcuAxhxKQFDaFpLSjFbcXoEFfRsWxP"></script>
This is the CSP header I'm using for script-src. The "%s" represents the random generated nonce which will be interpolated before the header is set on the response:
script-src nonce-%s 'unsafe-inline' 'unsafe-eval' 'strict-dynamic' https: http:;
What am I doing wrong here?
I am following Google's strict CSP policy for my CSP header, and I am properly adding the nonce, however I keep getting this error in the browser for my scripts:
Refused to load the script 'http://localhost:8080/client/dist/inline.6e0c61259742e86be1dd.bundle.js' because it violates the following Content Security Policy directive: "script-src nonce-XVlBzgbaiCMRAjWwhTHctcuAxhxKQFDaFpLSjFbcXoEFfRsWxP 'unsafe-inline' 'unsafe-eval' 'strict-dynamic' https: http:". 'strict-dynamic' is present, so host-based whitelisting is disabled.
As you can see, the nonce matches the nonce in the script:
<script type="text/javascript" src="/client/dist/inline.6e0c61259742e86be1dd.bundle.js" nonce="XVlBzgbaiCMRAjWwhTHctcuAxhxKQFDaFpLSjFbcXoEFfRsWxP"></script>
This is the CSP header I'm using for script-src. The "%s" represents the random generated nonce which will be interpolated before the header is set on the response:
script-src nonce-%s 'unsafe-inline' 'unsafe-eval' 'strict-dynamic' https: http:;
What am I doing wrong here?
Share Improve this question asked Jul 12, 2017 at 11:23 Lansana CamaraLansana Camara 9,87112 gold badges54 silver badges90 bronze badges1 Answer
Reset to default 6It looks like you're not enclosing the nonce value in single quotes -- instead of nonce-%s it should be 'nonce-%s' in your policy.
Since you're using the Google example you probably know about the other directives necessary to make the policy safe (e.g. object-src and base-uri), but just in case, make sure to use a tool like the CSP Evaluator to sanity-check your policy when you're done.
本文标签: javascriptContentSecurityPolicy HTTP header not working properly for scriptsrcStack Overflow
版权声明:本文标题:javascript - Content-Security-Policy HTTP header not working properly for script-src - Stack Overflow 内容由网友自发贡献,该文观点仅代表作者本人, 转载请联系作者并注明出处:http://www.roclinux.cn/p/1744053222a2525382.html, 本站仅提供信息存储空间服务,不拥有所有权,不承担相关法律责任。如发现本站有涉嫌抄袭侵权/违法违规的内容,一经查实,本站将立刻删除。
发表评论