这是服务器端CSP问题。在NGINX中,由于我的内容安全策略标题给我带来了困难,因此我在重新加载配置时出现了一些问题。
[root@www1 ~]# service nginx reload
nginx: [emerg] unknown directive "script-src" in /etc/nginx/conf.d/ssl.conf:15
nginx: configuration file /etc/nginx/nginx.conf test failed
我已经重写并重写了这个政策8次,但NGINX不会接受它。 NGINX版本是nginx / 1.10.2,CentOS 6.8,内核2.6.32-642.13.1.el6.x86_64
server {
[...] //Stuff
add_header Content-Security-Policy:"default-src 'self';script-src 'self' 'unsafe-inline' https://bam.nr-data.net https://js-agent.newrelic.com https://cdn.mxpnl.com https://ajax.cloudflare.com https://*.redacted.co;style-src 'self' https://*.redacted.co;img-src *;font-src 'self' https://*.redacted.co https://cloud.typography.com; object-src 'none';frame-src 'none';upgrade-insecure-requests;";
add_header Strict-Transport-Security "max-age=63072000; includeSubdomains; ";
add_header X-Frame-Options "DENY";
add_header X-XSS-Protection "1; mode=block";
[...] //Stuff
}
有什么明显的东西我不见了吗?
答案 0 :(得分:0)
看起来我添加了一个不应该出现的分号。移除了,突然NGINX很高兴。
add_header Content-Security-Policy:应为add_header Content-Security-Policy