gpt4 book ai didi

javascript - 拒绝加载脚本,因为它违反了以下内容安全策略指令

转载 作者:行者123 更新时间:2023-12-04 13:33:00 28 4
gpt4 key购买 nike

所有来自外部的脚本都有这个错误:

Refused to load the script'https://code.jquery.com/jquery-3.4.1.slim.min.js' because it violatesthe following Content Security Policy directive: "script-src 'self'https://xxxx.com https://ajax.googleapis.com'sha256-V8KVL4e3S2PwNnwHfycBcJMRnRhyyPiEpdxcGNLxzvk='". Note that'script-src-elem' was not explicitly set, so 'script-src' is used as afallback.


我搜索此错误,但所有解决方案都有 'unsafe-eval' 'unsafe-inline .
根据我的理解,我需要编写一个元标记。像这样的东西:
<meta http-equiv="Content-Security-Policy" content="default-src *; style-src 'self' http://* 'unsafe-inline'; script-src 'self' http://* 'unsafe-inline' 'unsafe-eval'" />
我删除了 unsafe-inline 和 unsafe-eval,但问题仍然存在。任何的想法?
这是我的标题中的内容:
<head>
<link rel="icon" href="img/am.png">
<meta charset="utf-8">
<!-- Required meta tags -->
<meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no">
<script src="https://use.fontawesome.com/releases/v5.0.6/js/all.js"></script>
<link rel="stylesheet" href="https://stackpath.bootstrapcdn.com/bootstrap/4.4.1/css/bootstrap.min.css"
integrity="sha384-Vkoo8x4CGsO3+Hhxv8T/Q5PaXtkKtu6ug5TOeNV6gBiFeWPGFN9MuhOf23Q9Ifjh" crossorigin="anonymous">
<link href="https://fonts.googleapis.com/css?family=Montserrat:300,600,700i" rel="stylesheet">
<link rel="stylesheet" href="style.css">

<title>Title</title>

</head>
在结束正文标签之前,我有更多包含的脚本
<script src="https://code.jquery.com/jquery-3.4.1.slim.min.js"
integrity="sha384-J6qa4849blE2+poT4WnyKhv5vZF5SrPo0iEjwBvKU7imGFAV0wwj1yYfoRSJoZ+n"
crossorigin="anonymous"></script>
<script src="https://cdn.jsdelivr.net/npm/popper.js@1.16.0/dist/umd/popper.min.js"
integrity="sha384-Q6E9RHvbIyZFJoft+2mJbHaEWldlvI9IOYy5n3zV9zzTtmI3UksdQRVvoxMfooAo"
crossorigin="anonymous"></script>
<script src="https://stackpath.bootstrapcdn.com/bootstrap/4.4.1/js/bootstrap.min.js"
integrity="sha384-wfSDF2E50Y2D1uUdj0O3uMBJnjuUD4Ih7YwaYd1iqfktj0Uod8GCExl3Og8ifwB6"
crossorigin="anonymous"></script>
总共有四个脚本被阻止。一个在标题(frontawesome)中,另一个在结束正文标记之前的脚本中。

最佳答案

script-src 'self' https://xxxx.com https://ajax.googleapis.com'sha256-V8KVL4e3S2PwNnwHfycBcJMRnRhyyPiEpdxcGNLxzvk='


意味着您的 CMS(或服务器)已经以某种方式发布了内容安全策略:
  • PHP header() 函数
  • .htaccess 文件
  • < meta http-equiv="Content-Security-Policy")
  • 网络服务器配置(低概率)

  • 你需要找到它在哪里完成(在 CMS 中,它应该是管理标题的插件)。
    然后添加到 script-src 指令:
  • 任一主机源(如果 CDN 具有公共(public)上传,则安全性较低):
    https://use.fontawesome.com https://code.jquery.com https://cdn.jsdelivr.net https://stackpath.bootstrapcdn.com
  • 或来自脚本完整性属性的单引号哈希(更安全):
    'sha384-J6qa4849blE2+poT4WnyKhv5vZF5SrPo0iEjwBvKU7imGFAV0wwj1yYforRSJoZ+n'
    'sha384-Q6E9RHvbIyZFJoft+2mJbHaEWldlvI9IOYy5n3zV9zzTtmI3UksdQRVvoxMfooAo'
    'sha384-wfSDF2E50Y2D1uUdj0O3uMBJnjuUD4Ih7YwaYd1iqfktj0Uod8GCExl3Og8ifwB6'
    'sha384-0AJY8UERSBUKdWcyF3o2kisLKeIo6G4Tbd8Y6fbyw6qYmn4WBuqcvxokp8m2UzSD'
  • 或混合:
    'sha384-J6qa4849blE2+poT4WnyKhv5vZF5SrPo0iEjwBvKU7imGFAV0wwj1yYforRSJoZ+n'
    'sha384-Q6E9RHvbIyZFJoft+2mJbHaEWldlvI9IOYy5n3zV9zzTtmI3UksdQRVvoxMfooAo'
    'sha384-wfSDF2E50Y2D1uUdj0O3uMBJnjuUD4Ih7YwaYd1iqfktj0Uod8GCExl3Og8ifwB6'
    https://use.fontawesome.com

  • 在第二个选项中,您必须在 head 部分向脚本添加完整性 = 属性:
    <script src="https://use.fontawesome.com/releases/v5.0.6/js/all.js"
    integrity="sha384-0AJY8UERsBUKdWcyF3o2kisLKeIo6G4Tbd8Y6fbyw6qYmn4WBuqcvxokp8m2UzSD"
    crossorigin="anonymous"></script>
    更新:
    添加了第三个选项(混合规则),以防在 <head> 中更改以下脚本不切实际sect(完整性属性加法):
    <script src="https://use.fontawesome.com/releases/v5.0.6/js/all.js"></script>

    关于javascript - 拒绝加载脚本,因为它违反了以下内容安全策略指令,我们在Stack Overflow上找到一个类似的问题: https://stackoverflow.com/questions/63909548/

    28 4 0
    Copyright 2021 - 2024 cfsdn All Rights Reserved 蜀ICP备2022000587号
    广告合作:1813099741@qq.com 6ren.com