尽管设置了以下标题:
Access-Control-Allow-Origin: *
Content-Security-Policy: default-src 'self' 'unsafe-inline' *.speech.is http://bits.speech.is https://bits.speech.is http://speech.is
JavaScript仍然阻止我访问iframe.contentWindow.document:
Error: Permission denied to access property 'document'
speech.contentWindow.document
之后的http://bits.speech.is
来自Firefox控制台。 Chrome提供了更详细但仍然神秘的内容:
SecurityError: Blocked a frame with origin "http://bits.speech.is" from accessing a frame with origin "http://208.113.212.187". Protocols, domains, and ports must match.
code: 18
message: "Blocked a frame with origin "http://bits.speech.is" from accessing a frame with origin "http://208.113.212.187". Protocols, domains, and ports must match."
name: "SecurityError"
stack: "Error: Blocked a frame with origin "http://bits.speech.is" from accessing a frame with origin "http://208.113.212.187". Protocols, domains, and ports must match.↵ at <anonymous>:2:21↵ at Object.InjectedScript._evaluateOn (<anonymous>:580:39)↵ at Object.InjectedScript._evaluateAndWrap (<anonymous>:539:52)↵ at Object.InjectedScript.evaluate (<anonymous>:458:21)"
无论如何都要跟踪此安全策略的设置位置?怎么弄清楚我还缺少什么?
答案 0 :(得分:1)
我能找到的用于微调CSP的最佳方法是这两者的组合:
对于后者,您需要将report-uri
添加到您的CSP标头中,并使用http://cspbuilder.info/个唯一网址作为报告收集器。您也可以设置Content-Security-Policy-Report-Only
变体,直到它开始工作。
如果您编写正在使用的浏览器,它也会有所帮助。该消息看起来不像Chrome的CSP违规错误 - 它们方式比这个更详细,更有帮助。