我正在使用内容安全政策,我无法通过HTTPS加载样式表,图片和JavaScript
这一切都可以在HTTP上正常运行但是我很快就通过HTTPS获取了一个页面,我在Chrome控制台中遇到了错误
拒绝加载样式表 'http://my-domain/public/css/bootstrap.min.css',因为它违反了 以下内容安全策略指令:“style-src'self' https://maxcdn.bootstrapcdn.com https://ajax.googleapis.com https://fonts.googleapis.com 'nonce-SLkcvNDK0InbqoywRHBvWE9qYBDXLlmu'“。login:1
指向
<!DOCTYPE html>
以下是我的标题的创建方式
// Set a sample rule
$csp_rules = "default-src 'self'; script-src 'self' 'nonce-".RANDOM."' https://ajax.googleapis.com https://maxcdn.bootstrapcdn.com https://connect.facebook.net; style-src 'self' https://maxcdn.bootstrapcdn.com https://ajax.googleapis.com https://fonts.googleapis.com 'nonce-".RANDOM."'; font-src 'self' https://maxcdn.bootstrapcdn.com https://fonts.gstatic.com; img-src 'self' https://ajax.googleapis.com; frame-src https://s-static.ak.facebook.com https://www.facebook.com;";
foreach (array("X-WebKit-CSP", "X-Content-Security-Policy", "Content-Security-Policy") as $csp){
header($csp . ": " . $csp_rules);
}
// Provides Clickjacking protection.
header('X-Frame-Options: deny');
// This header enables the Cross-site scripting (XSS) filter built into most recent web browsers.
header('X-XSS-Protection: 1; mode=block');
// Pevents Internet Explorer and Google Chrome from MIME-sniffing a response away from the declared content-type.
header('X-Content-Type-Options: nosniff');
我是否需要在规则中添加任何内容,还是可能是其他内容?
修改
以下是源
中样式表链接的外观<link rel="stylesheet" href="https://my-domain/public/css/bootstrap.min.css">