我正在接受Cordova应用程序开发培训,并且我解决了内容安全策略的问题。
我的应用程序正在运行Android模拟器,但是当我必须执行javascript时,我在NetBeans(输出窗口)中收到一条消息。
Refused to execute inline event handler because it violates the following Content Security Policy directive: "script-src 'self' https://ssl.gstatic.com". (22:35:56:126 | error, security)
at www/index.html:58
我的代码如下。这是我的index.html。 我试着理解CSP是如何工作的,我想我理解这个概念,但在这种情况下,我不明白这个问题。第58行是评论。
<html>
<head>
<meta http-equiv="Content-Security-Policy" content="default-src 'self' * data: gap: https://ssl.gstatic.com 'unsafe-eval'; style-src 'self'; script-src 'self' https://ssl.gstatic.com; media-src *">
<meta name="format-detection" content="telephone=no">
<meta name="msapplication-tap-highlight" content="no">
<meta name="viewport" content="user-scalable=no, initial-scale=1, maximum-scale=1, minimum-scale=1, width=device-width">
<title>Hello World</title>
<link rel="stylesheet" type="text/css" href="css/index.css">
</head>
<body>
<div class="app">
<h1>Apache Cordova</h1>
<div id="deviceready" class="blink">
<p class="event listening">Connecting to Device</p>
<p class="event received">Device is Ready</p>
</div>
</div>
<!--
line 58
-->
<button onclick="capturePhoto();">Capture Photo</button> <br>
<img style="display:none;width:80px;height:80px;" id="smallImage" src="" />
<img style="display:none;" id="largeImage" src="" />
<script type="text/javascript" src="cordova.js"></script>
<script type="text/javascript" src="js/index.js"></script>
</body>
</html>
预先感谢您的帮助,因为我需要它。 杰罗姆
答案 0 :(得分:51)
检查此link,它说:
不会执行内联JavaScript。此限制禁止内联
<script>块和内联事件处理程序(e.g. button onclick="...")。
避免出现如下指定的跨站点脚本问题
one.app#/home:1 Refused to execute inline event handler because it violates the following Content
Security Policy directive: "script-src 'self' 'nonce-d452460d-e219-a6e5-5709-c8af6ca82889'
chrome-extension: 'unsafe-inline' 'unsafe-eval' https://sfdc.azureedge.net
*.na34.visual.force.com https://ssl.gstatic.com/accessibility/". Note that 'unsafe-inline'
is ignored if either a hash or nonce value is present in the source list.
转到event listener functions而不是onclick='myFun()"。
<body onload="main();">
<button onclick="clickHandler(this)">
Click for awesomeness!
</button>
</body>
<script>
function clickHandler(element) {
// On click Code
}
function main() {
// Initialization work goes here.
}
</script>
为了使用新的浏览器,您需要编写代码,清楚地分离内容和行为。
<body>
<button>Click for awesomeness!</button>
</body>
<script src="popup.js"></script>
<!-- popup.js -->
document.addEventListener('DOMContentLoaded', function () {
document.querySelector('button').addEventListener('click', clickHandler);
main();
});
function clickHandler(element) {
// On click Code
}
function main() {
// Initialization work goes here.
}
<!-- popup.js -->
答案 1 :(得分:-1)
尝试将img-src *添加到Content-Security-Policy标记:
<meta http-equiv="Content-Security-Policy"
content="default-src 'self' data: gap: https://ssl.gstatic.com 'unsafe-eval'; style-src 'self' 'unsafe-inline'; media-src *; img-src *">