nGinx内容 - 安全 - 策略标题仍然阻止bootstrapcdn

时间:2018-05-09 18:41:06

标签: nginx content-security-policy nginx-location

我的nginx.conf

中有以下内容 
add_header Content-Security-Policy 
    "default-src 'self'; 
    img-src 'self' 'unsafe-inline' 'unsafe-eval' data: *.printfriendly.com *.w.org *.gravatar.com *.vimeocdn.com; 
    script-src 'self' 'unsafe-inline' 'unsafe-eval' *.w.org *.gravatar.com *.googleapis.com *.jsdelivr.net *.printfriendly.com *.kxcdn.com *.vimeocdn.com *.hs-analytics.net *.securitymetrics.com *.google-analytics.com; 
    style-src 'self' 'unsafe-inline' *.googleapis.com *.bootstrapcdn.com *.gstatic.com *.vimeocdn.com; 
    font-src 'self' data: *.googleapis.com *.bootstrapcdn.com *.gstatic.com *.googleapis.com; 
    frame-src 'self' *.vimeocdn.com *.vimeo.com; 
    object-src 'self'";

(我必须对它进行多行处理才能使其清晰可见......)

但是,在我的网站中,我仍然收到此错误:

Content Security Policy: The page’s settings blocked the loading of a resource at http://netdna.bootstrapcdn.com/font-awesome/3.2.1/css/font-awesome.css (“style-src”).

任何想法为什么会发生这种情况,当它被列入白名单时?

1 个答案:

答案 0 :(得分:4)

正如@ tarun-lalwani所提到的,其他块中的任何 add_header指令都很重要。更确切地说,如果在后代块中使用add_header指令(对于任何标头),则此Content-Security-Policy将在此类后代块中被丢弃。

摘自documentation

  

当且仅当,这些指令继承自上一级别   在当前级别上没有定义add_header指令。

为了避免代码复制(DRY),可以使用变量或include指令(或者在大量情况下生成nginx配置)。

以防万一,在真实配置中,不应使用多行标头值。通过curl -I https://example.com/path检查您的服务器响应。为了在配置中提供更好的可读性,可以使用变量。

示例:

set $CSP_image  "img-src      'self' 'unsafe-inline' 'unsafe-eval' data: *.printfriendly.com *.w.org *.gravatar.com *.vimeocdn.com; ";
set $CSP_script "script-src   'self' 'unsafe-inline' 'unsafe-eval' *.w.org *.gravatar.com *.googleapis.com *.jsdelivr.net *.printfriendly.com *.kxcdn.com *.vimeocdn.com *.hs-analytics.net *.securitymetrics.com *.google-analytics.com; ";
set $CSP_style  "style-src    'self' 'unsafe-inline' *.googleapis.com *.bootstrapcdn.com *.gstatic.com *.vimeocdn.com; ";
set $CSP_font   "font-src     'self' data: *.googleapis.com *.bootstrapcdn.com *.gstatic.com *.googleapis.com; ";
set $CSP_frame  "frame-src    'self' *.vimeocdn.com *.vimeo.com; ";
set $CSP_object "object-src   'self' ; ";
set $CSP        "default-src  'self' ; ${CSP_image} ${CSP_script} ${CSP_style} ${CSP_font} ${CSP_frame} ${CSP_object}";

add_header Content-Security-Policy $CSP;
相关问题
最新问题