脚本导致“拒绝执行内联脚本:启用内联执行需要 'unsafe-inline' 关键字、散列……或随机数”
Script causes “Refused to execute inline script: Either the 'unsafe-inline' keyword, a hash… or a nonce is required to enable inline execution”
我不断收到此错误:
Refused to execute inline script because it violates the following Content Security Policy directive: "default-src 'self' data: gap: http://www.visitsingapore.com https://ssl.gstatic.com 'unsafe-eval'". Either the 'unsafe-inline' keyword, a hash ('sha256-V+/U3qbjHKP0SaNQhMwYNm62gfWX4QHwPJ7We1PXokI='), or a nonce ('nonce-...') is required to enable inline execution. Note also that 'script-src' was not explicitly set, so 'default-src' is used as a fallback.
谁能告诉我如何解决这个问题,这是什么意思?我的代码是:
<meta http-equiv="Content-Security-Policy" content="default-src 'self' data:gap: http://www.visitsingapore.com https://ssl.gstatic.com 'unsafe-eval'; style-src 'self' 'unsafe-inline'; media-src *">
<meta http-equiv="content-type" content="text/html; charset=UTF-8" />
<link rel="stylesheet" type="text/css" href="css/index.css">
<link rel="stylesheet" href="css/jquery.mobile-1.4.5.css">
<script src="lib/jquery-3.2.1.min.js"></script>
<script type="text/javascript" src="scripts/key.js"></script>
<script>$.ajax({
url: ' http://www.visitsingapore.com/api.listing.en.json',
type: 'GET',
beforeSend: function (xhr) {
xhr.setRequestHeader('email ID', '-------@gmail.com');
xhr.setRequestHeader('token ID', '-------');
},
data: {},
success: function (qwe12) {
var TrueResult2 = JSON.stringify(qwe12);
document.write(TrueResult2);
},
error: function () { },
});</script>
解决此问题的最佳方法是从文档中取出 $.ajax(…) 调用并将其移至名为 ajax-call.js 的外部文件中,然后执行以下操作:
<script src="ajax-call.js"></script>
这样做更好的原因是,如果您已经着手为您的文档设置 CSP 策略,那么理想情况下,您应该付出额外的努力来删除所有内联脚本。
但如果出于某种原因您确实需要将脚本内嵌在文档中,您可以更改该 meta 元素以便从错误消息作为 script-src 指令的来源包含在内,如下所示(为了便于阅读而添加了一些换行符):
<meta http-equiv="Content-Security-Policy"
content="default-src 'self' data:gap: http://www.visitsingapore.com
https://ssl.gstatic.com 'unsafe-eval';
style-src 'self' 'unsafe-inline';
media-src *;
script-src 'sha256-V+/U3qbjHKP0SaNQhMwYNm62gfWX4QHwPJ7We1PXokI='
">
以下是获取更多信息的几个地方:
我不断收到此错误:
Refused to execute inline script because it violates the following Content Security Policy directive: "default-src 'self' data: gap: http://www.visitsingapore.com https://ssl.gstatic.com 'unsafe-eval'". Either the 'unsafe-inline' keyword, a hash ('sha256-V+/U3qbjHKP0SaNQhMwYNm62gfWX4QHwPJ7We1PXokI='), or a nonce ('nonce-...') is required to enable inline execution. Note also that 'script-src' was not explicitly set, so 'default-src' is used as a fallback.
谁能告诉我如何解决这个问题,这是什么意思?我的代码是:
<meta http-equiv="Content-Security-Policy" content="default-src 'self' data:gap: http://www.visitsingapore.com https://ssl.gstatic.com 'unsafe-eval'; style-src 'self' 'unsafe-inline'; media-src *">
<meta http-equiv="content-type" content="text/html; charset=UTF-8" />
<link rel="stylesheet" type="text/css" href="css/index.css">
<link rel="stylesheet" href="css/jquery.mobile-1.4.5.css">
<script src="lib/jquery-3.2.1.min.js"></script>
<script type="text/javascript" src="scripts/key.js"></script>
<script>$.ajax({
url: ' http://www.visitsingapore.com/api.listing.en.json',
type: 'GET',
beforeSend: function (xhr) {
xhr.setRequestHeader('email ID', '-------@gmail.com');
xhr.setRequestHeader('token ID', '-------');
},
data: {},
success: function (qwe12) {
var TrueResult2 = JSON.stringify(qwe12);
document.write(TrueResult2);
},
error: function () { },
});</script>
解决此问题的最佳方法是从文档中取出 $.ajax(…) 调用并将其移至名为 ajax-call.js 的外部文件中,然后执行以下操作:
<script src="ajax-call.js"></script>
这样做更好的原因是,如果您已经着手为您的文档设置 CSP 策略,那么理想情况下,您应该付出额外的努力来删除所有内联脚本。
但如果出于某种原因您确实需要将脚本内嵌在文档中,您可以更改该 meta 元素以便从错误消息作为 script-src 指令的来源包含在内,如下所示(为了便于阅读而添加了一些换行符):
<meta http-equiv="Content-Security-Policy"
content="default-src 'self' data:gap: http://www.visitsingapore.com
https://ssl.gstatic.com 'unsafe-eval';
style-src 'self' 'unsafe-inline';
media-src *;
script-src 'sha256-V+/U3qbjHKP0SaNQhMwYNm62gfWX4QHwPJ7We1PXokI='
">
以下是获取更多信息的几个地方: