内容安全政策拒绝列入白名单的脚本
Content Security Policy refusing white listed script
我在 CSP header 上将 youtube API 域列入白名单,但它仍然拒绝脚本。
CSP Header
default-src 'self'; script-src 'self' https://youtube.com/iframe_api s.ytimg.com; style-src 'self' ; img-src 'self' https://i.ytimg.com; font-src 'self'; connect-src 'self'; media-src 'self'; object-src 'none' ; child-src 'none' ; frame-src https://wwww.youtube.com ; worker-src 'self' ; frame-ancestors 'none' ; form-action 'self' ; upgrade-insecure-requests; block-all-mixed-content; disown-opener; sandbox allow-scripts allow-same-origin; reflected-xss block; manifest-src 'self' ; referrer no-referrer;
错误
Refused to load the script 'https://www.youtube.com/iframe_api' because it violates the following Content Security Policy directive: "script-src 'self' https://youtube.com/iframe_api s.ytimg.com".
通过使用 strict-dynamic 和随机数
解决了问题
我在 CSP header 上将 youtube API 域列入白名单,但它仍然拒绝脚本。
CSP Header
default-src 'self'; script-src 'self' https://youtube.com/iframe_api s.ytimg.com; style-src 'self' ; img-src 'self' https://i.ytimg.com; font-src 'self'; connect-src 'self'; media-src 'self'; object-src 'none' ; child-src 'none' ; frame-src https://wwww.youtube.com ; worker-src 'self' ; frame-ancestors 'none' ; form-action 'self' ; upgrade-insecure-requests; block-all-mixed-content; disown-opener; sandbox allow-scripts allow-same-origin; reflected-xss block; manifest-src 'self' ; referrer no-referrer;
错误
Refused to load the script 'https://www.youtube.com/iframe_api' because it violates the following Content Security Policy directive: "script-src 'self' https://youtube.com/iframe_api s.ytimg.com".
通过使用 strict-dynamic 和随机数