Nginx CSP frame-src 被忽略
Nginx CSP frame-src ignored
我有一个 Nginx CSP 配置如下:
add_header Content-Security-Policy "default-src 'self';script-src 'self' 'unsafe-eval' https://www.google-analytics.com/analytics.js;img-src 'self' https://ssl.google-analytics.com data:;style-src 'self' 'unsafe-inline';font-src 'self' 'unsafe-inline';frame-src 'self' https:;object-src 'self';connect-src 'self' ws:;media-src 'self'
当我尝试在 Chrome 中加载页面时,我看到:
Refused to frame 'https://myexternalwebsite.com/a/b/index.html' because it violates the following Content Security Policy directive: "default-src 'self'". Note that 'frame-src' was not explicitly set, so 'default-src' is used as a fallback.
在我的 CSP frame-src 中明确设置并具有值 'self' 和 https:
我可能做错了什么?
有点奇怪,但我设法通过指定解决了这个问题:
frame-src 'self' *;
这满足我的要求。
我有一个 Nginx CSP 配置如下:
add_header Content-Security-Policy "default-src 'self';script-src 'self' 'unsafe-eval' https://www.google-analytics.com/analytics.js;img-src 'self' https://ssl.google-analytics.com data:;style-src 'self' 'unsafe-inline';font-src 'self' 'unsafe-inline';frame-src 'self' https:;object-src 'self';connect-src 'self' ws:;media-src 'self'
当我尝试在 Chrome 中加载页面时,我看到:
Refused to frame 'https://myexternalwebsite.com/a/b/index.html' because it violates the following Content Security Policy directive: "default-src 'self'". Note that 'frame-src' was not explicitly set, so 'default-src' is used as a fallback.
在我的 CSP frame-src 中明确设置并具有值 'self' 和 https:
我可能做错了什么?
有点奇怪,但我设法通过指定解决了这个问题:
frame-src 'self' *;
这满足我的要求。