我有nginx 1.15。(6 | 8),Firefox(64 | 66),Chrome(71 | 73)。 Nginx的服务器块包含:
add_header Content-Security-Policy "default-src 'none'; script-src 'sha512-Bq5AvqaMAzu7BU8zgc5fja3GteXcl8iEBg8qkDlJnJ+3lzMOws02ldvtRN+MUuVvWJXocXdJymLn0Pwkx6wqTA==' 'sha512-cuiTz6R5UrJQEeQI9UNW7kL3R74RDqCj4RZy8+5EMb+aKbEUg9FdKxIKeWtrPMEohPr6sAcP6LPJHLqeMIaP4Q=='";
index.html
<script src="/script/scr.js"
integrity="sha512-Aq5AvqaMAzu7BU8zgc5fja3GteXcl8iEBg8qkDlJnJ+3lzMOws02ldvtRN+MUuVvWJXocXdJymLn0Pwkx6wqTA==">
</script>
<script src="https://example.com/script/scr02.js"
integrity="sha512-cuiTz6R5UrJQEeQI9UNW7kL3R74RDqCj4RZy8+5EMb+aKbEUg9FdKxIKeWtrPMEohPr6sAcP6LPJHLqeMIaP4Q==">
</script>
Chrome(71 | 73)执行脚本,但Firefox(64 | 66)不执行。 Firefox控制台输出:
Content Security Policy: The page’s settings blocked the loading of a resource at https://example.com/script/scr.js (“script-src”).
Content Security Policy: The page’s settings blocked the loading of a resource at https://example.com/script/scr02.js (“script-src”).