的 Content-Security-Policy 元数据使用什么值-6ren"> 的 Content-Security-Policy 元数据使用什么值-我的 https://my-site.com网站有一些类似下面的 html: 在控制台中,我得到这个错误: Refused to load media from 'blob:https://my-s-6ren">
gpt4 book ai didi

content-security-policy -

转载 作者:行者123 更新时间:2023-12-03 21:30:37 30 4
gpt4 key购买 nike

我的 https://my-site.com网站有一些类似下面的 html:

<video src="blob:https://my-site.com/{some-guid}"></video>

在控制台中,我得到这个错误:

Refused to load media from 'blob:https://my-site.com/{some-guid}' because it violates the following Content Security Policy directive: "media-src *".

在我的头脑中我有这个:

<meta http-equiv="Content-Security-Policy" content="media-src * blob:" />

我错过了什么?我什至尝试了 default-src * 'unsafe-inline' 'unsafe-eval' 的“catch all”(不是 super 安全)值,但无济于事。

使用 Chrome。

最佳答案

消息说正在应用的 CSP 指令只是 media-src *——而不是 media-src * blob:——这似乎表明浏览器已经从 Content-Security-Policy header 获取更严格的策略,该策略胜过 meta 元素中更宽松的策略。

因此,如果您的站点实际上已经使用了 Content-Security-Policy header ,那么您需要更改其策略以使用更自由的 media-src 允许 blob: 来源的指令。

您不能用文档中的 meta 指定的更自由的值覆盖更严格的 Content-Security-Policy header 值。参见 https://w3c.github.io/webappsec-csp/#multiple-policieshttps://w3c.github.io/webappsec-csp/#meta-element :

Note: A policy specified via a meta element will be enforced along with any other policies active for the protected resource, regardless of where they’re specified. The general impact of enforcing multiple policies is described in §8.1 The effect of multiple policies.

8.1. The effect of multiple policies

The behavior of an XMLHttpRequest might seem unclear given a site that, for whatever reason, delivered the following HTTP headers:

Content-Security-Policy: default-src 'self' http://example.com http://example.net;
connect-src 'none';
Content-Security-Policy: connect-src http://example.com/;
script-src http://example.com/

Is a connection to example.com allowed or not? The short answer is that the connection is not allowed.

Enforcing both policies means that a potential connection would have to pass through both unscathed. Even though the second policy would allow this connection, the first policy contains connect-src 'none', so its enforcement blocks the connection.

The impact is that adding additional policies to the list of policies to enforce can only further restrict the capabilities of the protected resource.

关于content-security-policy - <video src ="blob:..."> 的 Content-Security-Policy 元数据使用什么值,我们在Stack Overflow上找到一个类似的问题: https://stackoverflow.com/questions/42960811/

30 4 0
Copyright 2021 - 2024 cfsdn All Rights Reserved 蜀ICP备2022000587号
广告合作:1813099741@qq.com 6ren.com