更具体地说:
[Report Only] Refused to load the font 'data:application/x-font-woff;charset=utf-8;base64,d09GRgABAAAAABBQAAoAAAAAG…H8zVsjnmMx0GcZ2HGViNOySWEa9fvEQtW43Nm+EOO0ZIpdLbMXoVzPJkcfHT6U+gLEpz/MAAAA' because it violates the following Content Security Policy directive: "font-src 'self'".
这是contentSecurityPolicy的{{1}}对象:
environment.js有什么不对吗?
答案 0 :(得分:37)
添加'font-src': "data:",以将正在加载的字体列入白名单。
答案 1 :(得分:1)
我花了很长时间试图弄清楚为什么我的聚合物代码的内置版本在firefox和safari(在chrome中工作)违反我的CSP,结果是聚合物组件包含内联脚本,它们可能导致CSP问题使用' unsafe-inline' &安培; '不安全-EVAL' firefox和safari的标题,但是如果您的脚本CSP包含data:,这将允许在聚合物构建期间编译的内联脚本在您的Web应用程序上运行而不违反CSP。以为我会在这里分享,因为这个答案帮助我解决了我的问题。
答案 2 :(得分:0)
您可能要考虑使用逗号','来界定例外情况:
这是网站上发布的示例:https://github.com/helmetjs/csp
const csp = require('helmet-csp')
app.use(csp({
// Specify directives as normal.
directives: {
defaultSrc: ["'self'", 'default.com'],
scriptSrc: ["'self'", "'unsafe-inline'"],
styleSrc: ['style.com'],
fontSrc: ["'self'", 'fonts.com'],
imgSrc: ['img.com', 'data:'],
sandbox: ['allow-forms', 'allow-scripts'],
reportUri: '/report-violation',
objectSrc: ["'none'"],
upgradeInsecureRequests: true,
workerSrc: false // This is not set.
},
// This module will detect common mistakes in your directives and throw errors
// if it finds any. To disable this, enable "loose mode".
loose: false,
// Set to true if you only want browsers to report errors, not block them.
// You may also set this to a function(req, res) in order to decide dynamically
// whether to use reportOnly mode, e.g., to allow for a dynamic kill switch.
reportOnly: false,
// Set to true if you want to blindly set all headers: Content-Security-Policy,
// X-WebKit-CSP, and X-Content-Security-Policy.
setAllHeaders: false,
// Set to true if you want to disable CSP on Android where it can be buggy.
disableAndroid: false,
// Set to false if you want to completely disable any user-agent sniffing.
// This may make the headers less compatible but it will be much faster.
// This defaults to `true`.
browserSniff: true
}))