Google Re-captcha的内容安全政策标头指令

时间:2017-06-13 05:07:45

标签: asp.net-mvc content-security-policy recaptcha

Content Security Policy

Google Re-captcha标头指令

我已经为google re-captcha添加了以下指令,但我仍然收到了recaptcha__en.js的错误

"script-src 'self' https://www.google.com/recaptcha/ 
https://www.gstatic.com/recaptcha/
"style-src 'self' https://www.google.com/recaptcha/ 
https://www.gstatic.com/recaptcha/

尝试使用nonce

"script-src 'self' 'nonce-GoogleRecaptcha' "
"style-src 'self' 'nonce-GoogleRecaptcha' "

<script src='https://www.google.com/recaptcha/api.js' nonce="GoogleRecaptcha" async defer></script>

还尝试添加所有需要的哈希

  

拒绝应用内联样式,因为它违反了以下内容   内容安全政策指令:&#34; style-src&#39; self&#39;             https://www.google.com/recaptcha/             https://www.gstatic.com/recaptcha/             &#39; SHA256-CwE3Bg0VYQOIdNAkbB / Btdkhul49qZuwgNCMPgNY5zw =&#39;             &#39; SHA256-MZKTI0Eg1N13tshpFaVW65co / LeICXq4hyVx6GWVlK0 =&#39;             &#39; SHA256-LpfmXS + 4ZtL2uPRZgkoR29Ghbxcfime / CSD / 4w5VujE =&#39;             &#39; SHA256-YJO / M9OgDKEBRKGqp4Zd07dzlagbB + qmKgThG52u / MK =&#39;             &#39; SHA256-Awu6hl63MCY3jiYHaDclrL7Lic9KcEalXm2o / i3e0v8 =&#39;             &#39; SHA256-WCg1a4AhMGgFRCQG5w + HGG + Q2j8Ygrbd + 2dgjByIOIU =&#39;             &#39; SHA256-ldCXMle1JJUAD9eAjLdSuPIgIBcTcBecWlaXs0A2y4M =&#39;             &#39; sha256- + zzuded9 + DHoztKyASJeCkVU0gxvYNWMUIQM7x // CB4 =&#39;             &#39; sha256-6iA6WDOL1mgUULZ6GSs2OOfP4eMuu6iI5agxCjK2m2A =&#39;             &#39; SHA256-MammJ3J + TGIHdHxYsGLjD6DzRU0ZmxXKZ2DvTePAF0o =&#39;&#34 ;. “不安全 - 内联”和“不安全”。关键字,哈希   (&#39; sha256-Awu6hl63MCY3jiYHaDclrL7Lic9KcEalXm2o / i3e0v8 =&#39;),或者一个nonce   (&#39; nonce -...&#39;)是启用内联执行所必需的。

正如您在上面的哈希中所看到的那样,它显示了我添加的相同哈希值。 我仍然得到这个错误。

我在布局页面上使用元标记添加所有这些标头值。

1 个答案:

答案 0 :(得分:0)

我可以正常工作

您只是缺少frame-src'self',如此处所述: I'm using Content-Security-Policy (CSP) on my website. How can I configure it to work with reCAPTCHA?

    "style-src 'self' https://fonts.googleapis.com https://www.google.com/recaptcha/ https://www.gstatic.com/recaptcha/; 
script-src 'self' https://apis.google.com https://www.google.com/recaptcha/ https://www.gstatic.com/recaptcha/; 
frame-src 'self' https://www.google.com/recaptcha/; 
font-src 'self' https://fonts.gstatic.com; 
default-src 'self'; 
object-src 'none'; 
frame-ancestors 'none'; 
sandbox allow-forms allow-same-origin allow-scripts; base-uri 'self';";

如果您需要我的项目实施细节,我会很乐意为您提供。