Full permission string

The previous answers did not fix my issue, because they don t include blob: data: gap: keywords at the same time; so here is a string that does:

<meta http-equiv="Content-Security-Policy" content="default-src * self blob: data: gap:; style-src * self  unsafe-inline  blob: data: gap:; script-src *  self   unsafe-eval   unsafe-inline  blob: data: gap:; object-src *  self  blob: data: gap:; img-src * self  unsafe-inline  blob: data: gap:; connect-src self *  unsafe-inline  blob: data: gap:; frame-src * self blob: data: gap:;">

<>strong>Warning: 这使该文件受到许多剥削。 保证防止用户在青少年中执行守则,或在封闭环境中执行守则,如Cordova。

对于寻求完整解释的任何人,我建议你研究内容安全政策:。 https://www.html5rocks.com/en/tutorials/security/content-security-policy/。

"Code from https://mybank.com should only have access to https://mybank.com’s data, and https://evil.example.com should certainly never be allowed access. Each origin is kept isolated from the rest of the web"

国际空间站的攻击是基于浏览器无法区分你的手法和从另一个网站下载的密码。 因此,你必须把你认为安全从<密码>下载内容的内容从中删除。 内容安全——政策 HTTP头盔。

This policy is described using a series of policy directives, each of which describes the policy for a certain resource type or policy area. Your policy should include a default-src policy directive, which is a fallback for other resource types when they don t have policies of their own.

因此,如果您修改以下文字:

<meta http-equiv="Content-Security-Policy" content="default-src  self  data: gap: https://ssl.gstatic.com  unsafe-eval ; style-src  self   unsafe-inline ; media-src *;**script-src  self  http://onlineerp.solution.quebec  unsafe-inline   unsafe-eval ;** ">

You are saying that you are authorizing the execution of JavaScript code (script-src) from the origins self , http://onlineerp.solution.quebec, unsafe-inline , unsafe-eval .

I guess that the first two are perfectly valid for your use case, I am a bit unsure about the other ones. unsafe-line and unsafe-eval pose a security problem, so you should not be using them unless you have a very specific need for them:

"If eval and its text-to-JavaScript brethren are completely essential to your application, you can enable them by adding unsafe-eval as an allowed source in a script-src directive. But, again, please don’t. Banning the ability to execute strings makes it much more difficult for an attacker to execute unauthorized code on your site." (Mike West, Google)

我们这样做:

<meta http-equiv="Content-Security-Policy" content="default-src gap://ready file://* *; style-src  self  http://* https://*  unsafe-inline ; script-src  self  http://* https://*  unsafe-inline   unsafe-eval ">

如果你使用头盔包裹,那么就只是通过内容安全:假的,成为像这种方式那样的头盔。

app.use(
  helmet({
    contentSecurityPolicy: false,
  })
);

To elaborate some more on this, adding

script-src  self  http://somedomain  unsafe-inline   unsafe-eval ;

to the meta tag like so,

<meta http-equiv="Content-Security-Policy" content="default-src  self  data: gap: https://ssl.gstatic.com  unsafe-eval ; style-src  self   unsafe-inline ; script-src  self  https://somedomain.com/  unsafe-inline   unsafe-eval ;  media-src *">

改正错误。

增加元件以忽视这一政策无助于我们,因为我们的网络服务器在回复中采用了<代码>Content-security-Policy。

In our case we are using Ngnix as the web server for a Tomcat 9 Java-based application. From the web server, it is directing the browser not to allow inline scripts, so for a temporary testing we have turned off Content-Security-Policy by commenting.

How to turn it off in ngnix

• 否则,Ngnix ssl.conf文档将添加答复的头盔:

  #> grep content-security -ir /etc/nginx/global/sl.conf Add_header Content-security-Policy “default-src no ;frame-ancestors no ;script-src Self ; img-src Self ;风格-src Self ; base-uri Self ; form-action Self ;

• If you just comment this line and restart ngnix, it should not be adding the header to the response.

If you are concerned about security or in production please do not follow this, use these steps as only for testing purpose and moving on.

For dummies like me with Apache/Debian server, who tried to add this into the index.html file(and lost couple of hours because of this), the answer would be sometnig like this:

Edit:/etc/apache2/sites- available/yourwebsiteconfig.com-sl.conf

add or modify the followng line:

Header always set Content-Security-Policy: "script-src  self   unsafe-inline   unsafe-eval  data: https://www.googletagmanager.com"

这里:

<IfModule mod_headers.c>
        Header always append X-Frame-Options SAMEORIGIN
        Header always set Content-Security-Policy: "script-src  self   unsafe-inline   unsafe-eval  data: https://www.googletagmanager.com"
</IfModule>

The following helped me to get rid of CSP errors, when using Stripe in my NodeJS app:

app.use(helmet());
const helmet = require("helmet");

app.use(
  helmet.contentSecurityPolicy({
    directives: {
      defaultSrc: [" self "],
      fontSrc: [" self "],
      imgSrc: [" self "],
      scriptSrc: [" self "],
      styleSrc: [" self "],
      frameSrc: [" self "],
    },
    reportOnly: true, // Set to  true  to enable report-only mode
  })
);

You may find very helpful tutorial here or read more about it here

对我来说,错误是

because it violates the following Content Security Policy directive: "connect-src  self  wss: https://www.google-analytics.com".

而我所配置的正是:

 "connect-src  self  ws: wss: https://www.google-analytics.com",

这对我来说是这样,谷歌地图的复印件应当放在-src上。 CSP值以及浏览器对它的了解:

 "connect-src  self  ws: wss: https://www.google-analytics.com https://maps.googleapis.com https://www.googletagmanager.com",