我正在我的网站上集成用于跟踪受众的Quantcast脚本。当页面在浏览器中加载时,我得到以下错误。我知道这是一个编码为base64的脚本,但是如何允许它使用CSP和CORS头执行呢?
拒绝加载脚本 '数据:应用/ JavaScript的; BASE64,ZnVuY3Rpb24gcXVhbnRzZXJ2ZSgpe30 =' 因为它违反了以下内容安全策略指令: " script-src' self' '不安全直插' '不安全-EVAL' * .cloudflare.com * .quantserve.com"
这是我的标题:
headers {
contentSecurityPolicy = "default-src 'self' *.cloudflare.com *.quantserve.com;"
contentSecurityPolicy = ${play.filters.headers.contentSecurityPolicy}" img-src 'self' *.fbcdn.net *.twimg.com *.googleusercontent.com *.xingassets.com *.vk.com *.yimg.com secure.gravatar.com *.stuffpoint.com *.pixabay.com;"
contentSecurityPolicy = ${play.filters.headers.contentSecurityPolicy}" style-src 'self' 'unsafe-inline' cdnjs.cloudflare.com maxcdn.bootstrapcdn.com cdn.jsdelivr.net fonts.googleapis.com edge.quantserve.com;;"
contentSecurityPolicy = ${play.filters.headers.contentSecurityPolicy}" font-src 'self' fonts.gstatic.com fonts.googleapis.com cdnjs.cloudflare.com;"
contentSecurityPolicy = ${play.filters.headers.contentSecurityPolicy}" script-src 'self' 'unsafe-inline' 'unsafe-eval' *.cloudflare.com *.quantserve.com;"
contentSecurityPolicy = ${play.filters.headers.contentSecurityPolicy}" connect-src 'self' twitter.com *.xing.com;"
contentSecurityPolicy = ${play.filters.headers.contentSecurityPolicy}" frame-src 'self' 'unsafe-inline' 'unsafe-eval' edge.quantserve.com;"
}
答案 0 :(得分:1)
将data:添加到script-src行。
contentSecurityPolicy = ${play.filters.headers.contentSecurityPolicy}" script-src 'self' 'unsafe-inline' 'unsafe-eval' data: *.cloudflare.com *.quantserve.com;"
注意:这通常会带来一些安全隐患,但您的script-src非常宽松,无论如何都无法提供保护。