GreenOWL
(Green OWL)
1
你好!我的 CSP 遇到了问题,该如何解决?
拒绝执行内联脚本,因为它违反了以下内容安全策略指令:“script-src https://mydomain.com/logs/ https://mydomain.com/sidekiq/ https://mydomain.com/mini-profiler-resources/ https://mydomain.com/assets/ https://mydomain.com/brotli_asset/ https://mydomain.com/extra-locales/ https://mydomain.com/highlight-js/ https://mydomain.com/javascripts/ https://mydomain.com/plugins/ https://mydomain.com/theme-javascripts/ https://mydomain.com/svg-sprite/ https://mydomain.com”。需要 'unsafe-inline' 关键字、哈希值('sha256-ScCk7JwXKy22dTO0VFM7aV1chV+yd/MUda4X6VnGans=')或随机数('nonce-...')才能启用内联执行。
为了进行测试,我进入了“安全模式”,在安全模式下存在相同的问题。
1 个赞
这不是我的强项,但我搜索了一下,你可能需要重写你正在尝试使用的内联脚本:
2 个赞
GreenOWL
(Green OWL)
3
1 个赞
GreenOWL
(Green OWL)
6
嗯……
看来我找到了原因,问题似乎是由于我在主题中使用了 CSP 元标记:
<meta http-equiv="Content-Security-Policy" content="img-src https://imgur.com https://giphy.com">
我需要使用 img-src 指令来限制显示来自禁止主机的图片。
Falco
(Falco)
7
那个 CSP 指令确实会彻底破坏 Discourse。
2 个赞
GreenOWL
(Green OWL)
8
如何在不使用 meta 标签的情况下更改标头中的默认 CSP 指令,以添加 img-src?我在 Rails 中尝试过,但没有任何更改:
Rails.application.config.action_dispatch.default_headers.merge!({'Content-Security-Policy' => "upgrade-insecure-requests; base-uri 'self'; object-src 'none'; script-src https://mydomain.com/logs/ https://mydomain.com/sidekiq/ https://mydomain.com/mini-profiler-resources/ https://mydomain.com/assets/ https://mydomain.com/brotli_asset/ https://mydomain.com/extra-locales/ https://mydomain.com/highlight-js/ https://mydomain.com/javascripts/ https://mydomain.com/plugins/ https://mydomain.com/theme-javascripts/ https://mydomain.com/svg-sprite/; worker-src 'self' https://mydomain.com/assets/ https://mydomain.com/brotli_asset/ https://mydomain.com/javascripts/ https://mydomain.com/plugins/; frame-ancestors 'self'; manifest-src 'self'; img-src data: https://mydomain.com https://imgur.com"})
GreenOWL
(Green OWL)
9
我删除了这个 meta 标签,重新构建后问题就解决了 
