通过虚拟框提供的ember-cli违反了内容安全策略

时间:2014-11-29 19:47:47

标签: ember.js virtualbox

我有一个新的ember-cli v.0.1.2应用程序。我在虚拟框中提供ember,并通过主机配置的网络适配器在192.168.56.102处从主机访问网页。

当我从虚拟框中运行ember serve并从主机访问192.168.56.102时,我在控制台上收到了以下错误:

 [Report Only] Refused to load the script 'http://192.168.56.102:35729/livereload.js?snipver=1' because it violates the following Content Security Policy directive: "script-src 'self' 'unsafe-eval' localhost:35729 0.0.0.0:35729".
ember-cli-live-reload.js:5 (anonymous function)

livereload.js?snipver=1:193 [Report Only] Refused to connect to 'ws://192.168.56.102:35729/livereload' because it violates the following Content Security Policy directive: "connect-src 'self' ws://localhost:35729 ws://0.0.0.0:35729".

我使用ember-cli-content-security-policy尝试了各种配置而没有运气:

 contentSecurityPolicy: {
    'default-src': "'none'",
    'script-src': "'self'",
    'font-src': "'self'",
    'connect-src': "'self'",
    'img-src': "'self'",
    'style-src': "'self'",
    'media-src': "'self'"
  }

如何为虚拟盒开发解决这些错误?

修改

因此,根据此解决方案:EmberCspTutorial和博文:https://blog.justinbull.ca/how-to-configure-csp-in-your-ember-cli-app/

此配置修复了错误:

  ENV.contentSecurityPolicy = {
      'default-src': "'none'",
      'script-src': "'self' 'unsafe-eval' 192.168.56.102:35729",
      'font-src': "'self'",
      'connect-src': "'self' ws://192.168.56.102:35729",
      'img-src': "'self'",
      'style-src': "'self'",
      'media-src': "'self'"
  };

还有30分钟的视频解释所有这些,但是我可以使用一些可能会改变的硬编码的ip,一个全面的解释将被接受为答案。

如何为data:application/font*

启用CSP

我已经包含了一些字体,现在我遇到了这些错误,CSP配置是什么来压制这些:

[Report Only] Refused to load the font 'data:application/font-woff;charset=utf-8;base64,d09GRk9UVE8AAAVwAAoAAAAABSg…IAeQAgAEkAYwBvAE0AbwBvAG4ALgAAAAADAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA' because it violates the following Content Security Policy directive: "font-src 'self' data:application/* http://fonts.gstatic.com".

192.168.56.102/:1 [Report Only] Refused to load the font 'data:application/x-font-ttf;charset=utf-8;base64,AAEAAAALAIAAAwAwT1MvMggjCB…BiAHkAIABJAGMAbwBNAG8AbwBuAC4AAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==' because it violates the following Content Security Policy directive: "font-src 'self' data:application/* http://fonts.gstatic.com".

根据reference,这有效:

  ENV.contentSecurityPolicy = {
      'default-src': "'none'",
      'script-src': "'self' 'unsafe-eval' 192.168.56.102:35729",
      'font-src': "'self' data: http://fonts.gstatic.com",
      'connect-src': "'self' ws://192.168.56.102:35729",
      'img-src': "'self'",
      'style-src': "'self' fonts.googleapis.com",
      'media-src': "'self'"
  };

0 个答案:

没有答案
相关问题
最新问题