我有以下CSP标题:
Content-Security-Policy:default-src 'self'; connect-src 'self' https://*.example.com; script-src 'nonce-OWEwM2Q2YWMtYjc5NS00NmQxLWI3MGItNWRiNGJkOGNlNzZm' 'self' data: https://*.google-analytics.com https://*.facebook.net 'unsafe-eval'; style-src 'self' https://*.fonts.net 'unsafe-inline'; img-src 'self' data: https://media.example.com https://*.google-analytics.com https://*.doubleclick.net https://*.facebook.com http: https:; media-src 'self' data: https://media.example.com
以下脚本元素:
<script type="text/javascript" nonce="OWEwM2Q2YWMtYjc5NS00NmQxLWI3MGItNWRiNGJkOGNlNzZm">var data="some data";</script>
它在现代浏览器中运行良好,但在Chrome&lt; = 40版本中,我看到以下错误:
Refused to execute inline script because it violates the following Content Security Policy directive: "script-src 'nonce-OWEwM2Q2YWMtYjc5NS00NmQxLWI3MGItNWRiNGJkOGNlNzZm' 'self' data: https://*.google-analytics.com https://*.facebook.net 'unsafe-eval'". Either the 'unsafe-inline' keyword, a hash ('sha256-...'), or a nonce ('nonce-...') is required to enable inline execution.
我做了一些谷歌搜索并没有找到任何其他相关的引用此错误。任何人都知道出了什么问题?