我一直试图在Web应用程序中设置文本编辑器。在哪里访问文本编辑器,我必须允许script-src'self''unsafe-inline''unsafe-eval'和style-src'unsafe-inline'。但是在playframework 2.6.x中,我必须设置为
play.filters.headers.contentSecurityPolicy位于配置文件中,这会使整个应用程序变得不安全。
注意:meta标签不起作用,即使我尝试通过过滤器在响应标头中传递Content-security-policy。什么都没有。
在这种情况下,是否可以为播放2.6.x中的任何特定页面或路径设置script-src 'self' 'unsafe-inline' 'unsafe-eval' and style-src 'unsafe-inline'?
答案 0 :(得分:0)
# Security Filter Configuration - Content Security Policy
play.filters.headers {
contentSecurityPolicy = "default-src 'self';"
contentSecurityPolicy = ${play.filters.headers.contentSecurityPolicy}" img-src 'self' *.fbcdn.net *.twimg.com *.googleusercontent.com *.xingassets.com vk.com *.yimg.com secure.gravatar.com;"
contentSecurityPolicy = ${play.filters.headers.contentSecurityPolicy}" style-src 'self' 'unsafe-inline' cdnjs.cloudflare.com maxcdn.bootstrapcdn.com cdn.jsdelivr.net fonts.googleapis.com;"
contentSecurityPolicy = ${play.filters.headers.contentSecurityPolicy}" font-src 'self' fonts.gstatic.com fonts.googleapis.com cdnjs.cloudflare.com;"
contentSecurityPolicy = ${play.filters.headers.contentSecurityPolicy}" script-src 'self' cdnjs.cloudflare.com;"
contentSecurityPolicy = ${play.filters.headers.contentSecurityPolicy}" connect-src 'self' twitter.com *.xing.com;"
}
播放2.7 在某个操作上,它看起来像:
Ok("Index").withHeaders(SecurityHeadersFilter.REFERRER_POLICY -> "my page-specific header")
检查文档:https://www.playframework.com/documentation/2.7.x/SecurityHeaders#Action-specific-overrides
但是在 Play 2.7 中已弃用-改用CSP-请参阅:https://www.playframework.com/documentation/2.7.x/CspFilter#Enabling-CSP-on-Specific-Actions
(在同一文档上)也有可能从CSP过滤器中排除route,例如:
+ nocsp
POST /report-to controllers.CSPReportController.report