<video src="blob:..."> 的 Content-Security-Policy 元数据使用什么值
What value to use for Content-Security-Policy meta for <video src="blob:...">
我的 https://my-site.com 站点有一些 html 如下所示:
<video src="blob:https://my-site.com/{some-guid}"></video>
在控制台中,我收到此错误:
Refused to load media from 'blob:https://my-site.com/{some-guid}'
because it violates the following Content Security Policy directive:
"media-src *".
在我的 head 我有这个:
<meta http-equiv="Content-Security-Policy" content="media-src * blob:" />
我错过了什么?我什至尝试了 default-src * 'unsafe-inline' 'unsafe-eval' 的 "catch all"(不是超级安全)值,但无济于事。
使用 Chrome.
消息说正在应用的 CSP 指令只是 media-src * 而不是 media-src * blob: 这一事实似乎表明浏览器已经从 Content-Security-Policy header 胜过 meta 元素中的 more-liberal 政策。
因此,如果您的网站实际上已经使用 Content-Security-Policy header,那么您需要更改其政策以使用 more-liberal media-src允许 blob: 个来源的指令。
您不能用文档中 meta 指定的 more-liberal 值覆盖 more-strict Content-Security-Policy header 值。见 https://w3c.github.io/webappsec-csp/#multiple-policies and https://w3c.github.io/webappsec-csp/#meta-element:
Note: A policy specified via a meta element will be enforced along
with any other policies active for the protected resource, regardless
of where they’re specified. The general impact of enforcing multiple
policies is described in §8.1 The effect of multiple policies.
8.1. The effect of multiple policies
The
behavior of an XMLHttpRequest might seem unclear given a site that,
for whatever reason, delivered the following HTTP headers:
Content-Security-Policy: default-src 'self' http://example.com http://example.net;
connect-src 'none';
Content-Security-Policy: connect-src http://example.com/;
script-src http://example.com/
Is a connection to example.com allowed or not? The short answer is
that the connection is not allowed.
Enforcing both policies means that
a potential connection would have to pass through both unscathed. Even
though the second policy would allow this connection, the first policy
contains connect-src 'none', so its enforcement blocks the connection.
The impact is that adding additional policies to the list of policies
to enforce can only further restrict the capabilities of the protected
resource.
我的 https://my-site.com 站点有一些 html 如下所示:
<video src="blob:https://my-site.com/{some-guid}"></video>
在控制台中,我收到此错误:
Refused to load media from 'blob:https://my-site.com/{some-guid}' because it violates the following Content Security Policy directive: "media-src *".
在我的 head 我有这个:
<meta http-equiv="Content-Security-Policy" content="media-src * blob:" />
我错过了什么?我什至尝试了 default-src * 'unsafe-inline' 'unsafe-eval' 的 "catch all"(不是超级安全)值,但无济于事。
使用 Chrome.
消息说正在应用的 CSP 指令只是 media-src * 而不是 media-src * blob: 这一事实似乎表明浏览器已经从 Content-Security-Policy header 胜过 meta 元素中的 more-liberal 政策。
因此,如果您的网站实际上已经使用 Content-Security-Policy header,那么您需要更改其政策以使用 more-liberal media-src允许 blob: 个来源的指令。
您不能用文档中 meta 指定的 more-liberal 值覆盖 more-strict Content-Security-Policy header 值。见 https://w3c.github.io/webappsec-csp/#multiple-policies and https://w3c.github.io/webappsec-csp/#meta-element:
Note: A policy specified via a
metaelement will be enforced along with any other policies active for the protected resource, regardless of where they’re specified. The general impact of enforcing multiple policies is described in §8.1 The effect of multiple policies.8.1. The effect of multiple policies
The behavior of an
XMLHttpRequestmight seem unclear given a site that, for whatever reason, delivered the following HTTP headers:Content-Security-Policy: default-src 'self' http://example.com http://example.net; connect-src 'none'; Content-Security-Policy: connect-src http://example.com/; script-src http://example.com/Is a connection to example.com allowed or not? The short answer is that the connection is not allowed.
Enforcing both policies means that a potential connection would have to pass through both unscathed. Even though the second policy would allow this connection, the first policy contains
connect-src 'none', so its enforcement blocks the connection.The impact is that adding additional policies to the list of policies to enforce can only further restrict the capabilities of the protected resource.