所以我正在设置一个head-csp(https://www.npmjs.com/package/helmet-csp),并正在运行ace。这是我的头盔设置:
var csp = require("helmet-csp");
app.use(csp({
directives: {
defaultSrc: ["'self'", "https://localhost:8000"],
styleSrc: ["'self'", "'unsafe-inline'"],
sandbox: ["allow-forms", "allow-scripts", "allow-same-origin"],
reportUri: "/report-violation",
scriptSrc: ["'self'", "'unsafe-inline'",
"https://cdnjs.cloudflare.com/ajax/libs/ace/1.2.0/ace.js",
"https://cdnjs.cloudflare.com/ajax/libs/ace/1.2.0/theme-monokai.js",
"https://cdnjs.cloudflare.com/ajax/libs/ace/1.2.0/mode-javascript.js"]
}
}));
并且脚本是这样实现的(src链接到ace的本地嵌入):
<script src="../../src-min-noconflict/ace.js" type="text/javascript" charset="utf-8"></script>
<script>
var editor = ace.edit("editor");
editor.getSession().setUseWorker(false);
editor.setTheme("ace/theme/monokai");
editor.getSession().setMode("ace/mode/javascript");
</script>
哪个没有破坏性错误,但我一直在浏览器控制台中找到它:
Refused to create a worker from 'blob:https://localhost:8000/34145ece-2c95-403b-92b0-79d02a5b4edd' because it violates the following Content Security Policy directive: "default-src 'self' https://localhost:8000". Note that 'worker-src' was not explicitly set, so 'default-src' is used as a fallback.
和
Could not load worker DOMException: Failed to construct 'Worker': Access to the script at 'blob:https://localhost:8000/701e5193-c7f3-47b4-94da-c2086bfc2dd4' is denied by the document's Content Security Policy.
at new u (https://cdnjs.cloudflare.com/ajax/libs/ace/1.2.0/ace.js:1:305119)
at createWorker (https://cdnjs.cloudflare.com/ajax/libs/ace/1.2.0/mode-javascript.js:1:22584)
at p.$startWorker (https://cdnjs.cloudflare.com/ajax/libs/ace/1.2.0/ace.js:1:159829)
at p.$onChangeMode (https://cdnjs.cloudflare.com/ajax/libs/ace/1.2.0/ace.js:1:159064)
at p.<anonymous> (https://cdnjs.cloudflare.com/ajax/libs/ace/1.2.0/ace.js:1:158825)
at https://cdnjs.cloudflare.com/ajax/libs/ace/1.2.0/ace.js:1:55143
at Array.forEach (native)
at https://cdnjs.cloudflare.com/ajax/libs/ace/1.2.0/ace.js:1:55120
at n (https://cdnjs.cloudflare.com/ajax/libs/ace/1.2.0/ace.js:1:936)
at a (https://cdnjs.cloudflare.com/ajax/libs/ace/1.2.0/ace.js:1:1487)
感觉就像我尝试了谷歌提供的一切,但没有结果。有人能帮助我吗?
答案 0 :(得分:2)
我必须为工作人员添加child-src政策。由于工人发送了某种斑点,我允许来自该起源的斑点。
app.use(csp({
directives: {
defaultSrc: ["'self'"],
imgSrc: ["data: *"],
childSrc: ["blob: *"],
styleSrc: ["'self'", "'unsafe-inline'",
"https://maxcdn.bootstrapcdn.com/font-awesome/4.7.0/css/font-awesome.min.css"],
sandbox: ["allow-forms", "allow-scripts", "allow-same-origin"],
scriptSrc: ["'self'", "'unsafe-inline'", "https://cdnjs.cloudflare.com/ajax/libs/ace/1.2.0/ace.js",
"https://cdnjs.cloudflare.com/ajax/libs/ace/1.2.0/theme-monokai.js",
"https://cdnjs.cloudflare.com/ajax/libs/ace/1.2.0/mode-javascript.js",
"https://cdnjs.cloudflare.com/ajax/libs/ace/1.2.0/worker-javascript.js"],
fontSrc: ["'self'", "https://maxcdn.bootstrapcdn.com/font-awesome/4.7.0/fonts/fontawesome-webfont.woff2?v=4.7.0",
"https://maxcdn.bootstrapcdn.com/font-awesome/4.7.0/fonts/fontawesome-webfont.woff?v=4.7.0]",
"https://maxcdn.bootstrapcdn.com/font-awesome/4.7.0/fonts/fontawesome-webfont.ttf?v=4.7.0",
"https://cdnjs.cloudflare.com/ajax/libs/ace/1.2.0/worker-javascript.js"]
}
}));
此外,我对脚本进行了一些更改以使其正常工作。为什么它在那之后起作用,我不知道:
<script src="https://cdnjs.cloudflare.com/ajax/libs/ace/1.2.0/ace.js"></script>
<script>
var textarea = document.querySelector("#content");
var editor = ace.edit("editor");
editor.setTheme("ace/theme/monokai");
editor.getSession().setMode("ace/mode/javascript");
editor.getSession().on("change", function () {
textarea.innerHTML = editor.getSession().getValue();
});
textarea.innerHTML = editor.getSession().getValue();
</script>
答案 1 :(得分:0)
“ script-src”中无需包含ace URL,您可以像这样使用
scriptSrc: ["'self'", "'unsafe-eval'", 'blob:', 'data:'],
它将起作用
答案 2 :(得分:-1)
我正在使用apache Web服务器标头来设置内容安全策略。 我添加了blob:到script-src指令,它运行正常。
标题集Content-Security-Policy“default-src'self'; media-src *; img-src ; font-src'self'data:; script-src'self''unsafe-eval' 'unsafe-inline'blob:https:// .googleapis.com https:// .google.com https:// .google-analytics.com https:// *。 gstatic.com; style-src'self''unsafe-inline'; object-src'self';“