我想为我的网站创建CSP,并且在Chrome浏览器中使用了CSP mitigator扩展程序
我的应用是用Elixir和phoenix-framework编写的,并且我将nginx用于Web服务器
nginx标头为:
add_header X-Frame-Options SAMEORIGIN;
add_header X-Content-Type-Options nosniff;
add_header X-XSS-Protection "1; mode=block";
我为CSP编写了许多规则,例如:
default-src 'none';
base-uri 'none';
form-action 'none';
frame-ancestors 'none';
script-src 'unsafe-inline' https://www.googletagmanager.com https://example.com https://www.google.com https://www.gstatic.com https://www.google-analytics.com 'nonce-hZwUTOrpRdsdlZmODf631g==';
style-src 'self' 'nonce-hZwUTOrpRdsdlZmODf631g==' https://example.com 'unsafe-inline' https://www.googletagmanager.com https://fonts.googleapis.com https://www.google.com/recaptcha;
img-src 'self' https://example.com:443 https://ssl.gstatic.com https://stats.g.doubleclick.net https://www.google-analytics.com;
frame-src https://www.gstatic.com https://www.google.comhttps://www.googletagmanager.com/ns.html;
font-src 'self' 'unsafe-inline' https://example.com https://fonts.gstatic.com;
connect-src www.google-analytics.com https://www.google-analytics.com https://stats.g.doubleclick.net ;
object-src 'none';
report-uri https://my_code.report-uri.com/r/d/csp/reportOnly;
,并且我的控制台连续出现错误: https://gist.github.com/mojtaba-naserei/da75abac20c94a655dd2ab2e652dab8d
============================
我的问题是:
1)为什么会收到
存在“严格动态”,因此基于主机的白名单已禁用
何时我从未在CSP中定义'strict-dynamic'?
2)为什么会出现此错误:
[Report Only] Refused to load the image 'https://example.com/images/smal-trangell-logo.png' because it violates the following Content Security Policy directive: "default-src * 'unsafe-inline' 'strict-dynamic' data: filesystem: blob: ws: wss: ". 'strict-dynamic' is present, so host-based whitelisting is disabled. Note that 'img-src' was not explicitly set, so 'default-src' is used as a fallback.
当我为此定义规则时:img-src 'self' https://example.com:443?