Question

以下代码运行正常，因为我在元标记中添加了https://mobileapppractice.azurewebsites.net以防止违反CSP。

<!DOCTYPE html>
<html ng-app="" ng-init="backendUri='https://mobileapppractice.azurewebsites.net'">
<head>
    <meta charset="utf-8" />

    <!--
        Customize the content security policy in the meta tag below as needed. Add 'unsafe-inline' to default-src to enable inline JavaScript.
        For details, see http://go.microsoft.com/fwlink/?LinkID=617521
    -->
    
    <title>Kapok Practice</title>

    <script src="scripts/jquery-1.9.1.min.js"></script>
    <script src="scripts/angular.min.js"></script>
    <script src="scripts/MobileServices.Web-2.0.0-beta.min.js"></script>
    <script src="scripts/appBundle.js"></script>
    
    <meta http-equiv="Content-Security-Policy" content="default-src 'self' https://mobileapppractice.azurewebsites.net data: gap: https://ssl.gstatic.com 'unsafe-eval'; style-src 'self' 'unsafe-inline'; media-src *">
    
    <!-- BlankCordovaApp2 references -->
    <link href="css/index.css" rel="stylesheet" />
</head>
<body>
    
    <p>Hello, your application is ready! </p>
    

    <!-- Cordova reference, this is added to your app when it's built. -->
    <script src="cordova.js"></script>
    <script src="scripts/platformOverrides.js"></script>
</body>
</html>

但是，在以下行中，https://mobileapppractice.azurewebsites.net在元标记

中进行了硬编码

<meta http-equiv="Content-Security-Policy" content="default-src 'self' https://mobileapppractice.azurewebsites.net ...

所以我想使用angularJS表达式在meta标签中使这个url动态化，例如：

<meta http-equiv="Content-Security-Policy" content="default-src 'self' {{"https://mobileapppractice.azurewebsites.net"}} ...

但是，当它尝试在https://mobileapppractice.azurewebsites.net中调用WebAPI时，它无效并显示错误“...违反内容安全策略”。

有一种简单的方法可以让这个CSP元标记支持angularJS动态控制吗？

感谢。

Cordova Content-Security-Policy中的动态元标记内容

0 个答案: