内容安全策略拒绝列出白名单

时间:2018-03-03 05:39:30

标签: header content-security-policy

我将CSP标题上的youtube API域列入白名单,但它仍然拒绝该脚本。

CSP标题

default-src 'self'; script-src 'self' https://youtube.com/iframe_api s.ytimg.com; style-src 'self' ; img-src 'self' https://i.ytimg.com; font-src 'self'; connect-src 'self'; media-src 'self'; object-src 'none' ; child-src 'none' ; frame-src https://wwww.youtube.com ; worker-src 'self' ; frame-ancestors 'none' ; form-action 'self' ; upgrade-insecure-requests; block-all-mixed-content; disown-opener; sandbox allow-scripts allow-same-origin; reflected-xss block; manifest-src 'self' ; referrer no-referrer;

错误

Refused to load the script 'https://www.youtube.com/iframe_api' because it violates the following Content Security Policy directive: "script-src 'self' https://youtube.com/iframe_api s.ytimg.com".

1 个答案:

答案 0 :(得分:0)

使用strict-dynamic并使用随机数

解决了这个问题