我收到了错误:
vendor.js:328未捕获的EvalError:拒绝将字符串评估为JavaScript,因为'unsafe-eval'不是以下内容安全策略指令中允许的脚本源:“script-src'self'localhost:* ajax.googleapis.com ajax.aspnetcdn.com“。
我知道我可以通过设置UnsafeEval = true,来解决此错误
但这是不安全的,并打开我的网站,直到XSS漏洞。
因此有一种方法我可以允许一些脚本,也可以在我使用AJAX时形成。也许你们可以给我一个如何使用这些方法的例子我不太清楚如何去做。
new CspFormActionAttribute()
{
// Allow forms to post back to example.com.
// CustomSources = "*.example.com",
// Allow forms to post back to the same domain.
Self = true
});
new CspChildSrcAttribute()
{
// Allow web workers or embed frames from example.com.
// CustomSources = "*.example.com",
// Allow web workers or embed frames from the same domain.
Self = false
});
// connect-src - This directive restricts which URIs the protected resource can load using script interfaces
// (Ajax Calls and Web Sockets).
filters.Add(
new CspConnectSrcAttribute()
{
// Allow Browser Link to work in debug mode only.
CustomSources = string.Join(" ", "localhost:*", "ws://localhost:*"),
// Allow AJAX and Web Sockets to example.com.
// CustomSources = "*.example.com",
// Allow all AJAX and Web Sockets calls from the same domain.
Self = true
});