我已将我的应用程序从2.5.12升级到2.5.18,并且在尝试运行此应用程序时收到错误。
错误如:
Refused to load the font '<URL>' because it violates the following Content Security Policy directive: "default-src 'none'". Note that 'font-src' was not explicitly set, so 'default-src' is used as a fallback.
Refused to load the font 'http://localhost:9000/assets/css/bootstrap/glyphicons-halflings-regular.woff' because it violates the following Content Security Policy directive: "default-src 'none'". Note that 'font-src' was not explicitly set, so 'default-src' is used as a fallback.
Refused to execute inline script because it violates the following Content Security Policy directive: "script-src 'self'". Either the 'unsafe-inline' keyword, a hash ('sha256-nOIew6ekpmk+M5QFOFhJ1ur1AuDtJrbuorncKwpAfxA='), or a nonce ('nonce-...') is required to enable inline execution.
Refused to apply inline style because it violates the following Content Security Policy directive: "style-src 'self' http://localhost:9000". Either the 'unsafe-inline' keyword, a hash ('sha256-CeNrMsFQ2CxbG0wY6+u/TJVb6zIFWXP9hv08Pgb1MmM='), or a nonce ('nonce-...') is required to enable inline execution.
Refused to apply inline style because it violates the following Content Security Policy directive: "style-src 'self' <URL>". Either the 'unsafe-inline' keyword, a hash ('sha256-se3iZ/nePYmAviO9VXXizL4rh7Co8gaWtMzoxdwXqdk='), or a nonce ('nonce-...') is required to enable inline execution.
所以,我遵循了这个文档:
https://www.playframework.com/documentation/2.5.18/SecurityHeaders
阅读这些帖子:
Play framework - Content Security Policy setting doesn't work?
Play Framework won't run inline javascript
并使用以下内容更新了我的application.conf
play.modules {
enabled += "play.filters.headers.SecurityHeadersModule"
}
play.filters {
# Security headers filter configuration
headers {
# The Content-Security-Policy header. If null, the header is not set.
contentSecurityPolicy = "default-src 'self'; script-src 'self' http://localhost:9000 'unsafe-inline'; connect-src 'self'; img-src 'self' http://localhost:9000; style-src 'self' http://localhost:9000; font-src 'self' http://localhost:9000"
}
}
但是,当我clean,compile和run应用程序时,我仍会收到上面列出的错误。好像play.filters似乎没有激活。
我注意到您可以将内容安全策略添加到html页面本身 - 我是否需要同时启用此过滤器?
我也知道我可以禁用此过滤器,但听起来这不是一个好主意。
答案 0 :(得分:0)
我在此处发现的一件事是,您需要分别为script-src和style-src以及font-src定义。
所以在你的情况下:
contentSecurityPolicy = "default-src 'self'; script-src 'self' http://localhost:9000 'unsafe-inline'; connect-src 'self'; img-src 'self' http://localhost:9000; style-src 'self' http://localhost:9000 'unsafe-inline'; font-src 'self' http://localhost:9000 'unsafe-inline'"
这是针对不安全的内联问题。
或者你可以用default-src放置所有东西,但是你放松了一点安全;)。
顺便说一下,我建议将所有内联脚本和内联样式移动到文件中 - 这样你就可以减少一个安全线程。