Quantcast 的 CSP 设置
CSP settings for Quantcast
我正在我的网站中集成用于跟踪受众的 Quantcast 脚本。当页面在浏览器中加载时,出现以下错误。我知道这是一个编码为 base64 的脚本,但我如何允许它使用 CSP 和 CORS 执行 headers?
Refused to load the script
'data:application/javascript;base64,ZnVuY3Rpb24gcXVhbnRzZXJ2ZSgpe30='
because it violates the following Content Security Policy directive:
"script-src 'self' 'unsafe-inline' 'unsafe-eval' *.cloudflare.com
*.quantserve.com".
这是我的 headers:
headers {
contentSecurityPolicy = "default-src 'self' *.cloudflare.com *.quantserve.com;"
contentSecurityPolicy = ${play.filters.headers.contentSecurityPolicy}" img-src 'self' *.fbcdn.net *.twimg.com *.googleusercontent.com *.xingassets.com *.vk.com *.yimg.com secure.gravatar.com *.stuffpoint.com *.pixabay.com;"
contentSecurityPolicy = ${play.filters.headers.contentSecurityPolicy}" style-src 'self' 'unsafe-inline' cdnjs.cloudflare.com maxcdn.bootstrapcdn.com cdn.jsdelivr.net fonts.googleapis.com edge.quantserve.com;;"
contentSecurityPolicy = ${play.filters.headers.contentSecurityPolicy}" font-src 'self' fonts.gstatic.com fonts.googleapis.com cdnjs.cloudflare.com;"
contentSecurityPolicy = ${play.filters.headers.contentSecurityPolicy}" script-src 'self' 'unsafe-inline' 'unsafe-eval' *.cloudflare.com *.quantserve.com;"
contentSecurityPolicy = ${play.filters.headers.contentSecurityPolicy}" connect-src 'self' twitter.com *.xing.com;"
contentSecurityPolicy = ${play.filters.headers.contentSecurityPolicy}" frame-src 'self' 'unsafe-inline' 'unsafe-eval' edge.quantserve.com;"
}
将 data: 添加到 script-src 行。
contentSecurityPolicy = ${play.filters.headers.contentSecurityPolicy}" script-src 'self' 'unsafe-inline' 'unsafe-eval' data: *.cloudflare.com *.quantserve.com;"
注意:这通常会带来一些安全隐患,但您的 script-src 过于宽容,几乎无法提供任何保护。
处理这个问题的更好方法是将它放在一个文件中,而不是使用内联标签。由于允许 unsafe-inline
的安全问题
我正在我的网站中集成用于跟踪受众的 Quantcast 脚本。当页面在浏览器中加载时,出现以下错误。我知道这是一个编码为 base64 的脚本,但我如何允许它使用 CSP 和 CORS 执行 headers?
Refused to load the script 'data:application/javascript;base64,ZnVuY3Rpb24gcXVhbnRzZXJ2ZSgpe30=' because it violates the following Content Security Policy directive: "script-src 'self' 'unsafe-inline' 'unsafe-eval' *.cloudflare.com *.quantserve.com".
这是我的 headers:
headers {
contentSecurityPolicy = "default-src 'self' *.cloudflare.com *.quantserve.com;"
contentSecurityPolicy = ${play.filters.headers.contentSecurityPolicy}" img-src 'self' *.fbcdn.net *.twimg.com *.googleusercontent.com *.xingassets.com *.vk.com *.yimg.com secure.gravatar.com *.stuffpoint.com *.pixabay.com;"
contentSecurityPolicy = ${play.filters.headers.contentSecurityPolicy}" style-src 'self' 'unsafe-inline' cdnjs.cloudflare.com maxcdn.bootstrapcdn.com cdn.jsdelivr.net fonts.googleapis.com edge.quantserve.com;;"
contentSecurityPolicy = ${play.filters.headers.contentSecurityPolicy}" font-src 'self' fonts.gstatic.com fonts.googleapis.com cdnjs.cloudflare.com;"
contentSecurityPolicy = ${play.filters.headers.contentSecurityPolicy}" script-src 'self' 'unsafe-inline' 'unsafe-eval' *.cloudflare.com *.quantserve.com;"
contentSecurityPolicy = ${play.filters.headers.contentSecurityPolicy}" connect-src 'self' twitter.com *.xing.com;"
contentSecurityPolicy = ${play.filters.headers.contentSecurityPolicy}" frame-src 'self' 'unsafe-inline' 'unsafe-eval' edge.quantserve.com;"
}
将 data: 添加到 script-src 行。
contentSecurityPolicy = ${play.filters.headers.contentSecurityPolicy}" script-src 'self' 'unsafe-inline' 'unsafe-eval' data: *.cloudflare.com *.quantserve.com;"
注意:这通常会带来一些安全隐患,但您的 script-src 过于宽容,几乎无法提供任何保护。
处理这个问题的更好方法是将它放在一个文件中,而不是使用内联标签。由于允许 unsafe-inline