使用 Angular4 设置内容安全策略时出错
Getting error while setting the content-security-policy using Angular4
我在使用 Angular4 设置 content-security-policy 时遇到以下错误。
错误:
Refused to connect to
'ws://localhost:4200/sockjs-node/812/lxo2oeas/websocket' because it
violates the following Content Security Policy directive: "default-src
'self' 'unsafe-eval'". Note that 'connect-src' was not explicitly set,
so 'default-src' is used as a fallback.
Uncaught TypeError: event.data.indexOf is not a function at receiveMessage (out.js:4)
这是我的代码:
<!doctype html>
<html lang="en">
<head>
<meta http-equiv="Content-Security-Policy"
content="default-src 'self' 'unsafe-eval';
style-src 'self' 'unsafe-inline';
script-src 'self' http://localhost:4200 'unsafe-inline' 'unsafe-eval';">
<meta charset="utf-8">
<title>Myapp</title>
<base href="/">
<meta name="viewport" content="width=device-width, initial-scale=1">
<link rel="icon" type="image/x-icon" href="favicon.ico">
</head>
<body>
<app-root></app-root>
</body>
</html>
这里我需要设置 content-security-policy 但出现了这些错误。
您需要明确指出 ws: 源表达式是允许的。
因此,要么将您的 meta 元素更改为:
<meta http-equiv="Content-Security-Policy"
content="default-src 'self' 'unsafe-eval';
style-src 'self' 'unsafe-inline';
script-src 'self' http://localhost:4200 'unsafe-inline' 'unsafe-eval';
connect-src ws:">
…也就是说,添加一个带有 ws: 源表达式的 connect-src 指令。
或者这样做:
<meta http-equiv="Content-Security-Policy"
content="default-src 'self' 'unsafe-eval' ws:;
style-src 'self' 'unsafe-inline';
script-src 'self' http://localhost:4200 'unsafe-inline' 'unsafe-eval';">
…也就是说,将 ws: 源表达式添加到现有的 default-src 指令中。
我在 Angular 9.1.12 部署在 WildFly Server(之前是 JBoss).起初我认为问题出在带有 <meta> 标签 (<meta http-equiv="Content-Security-Policy" content="default-src 'self'; style-src 'self' 'unsafe-inline';'">) 的 index.html 中,但实际上错误出在 WildFly 服务器中,特别是在 response-header设置在standalone.xml.
standalone.xml:
<filters>
<response-header name="server-header" header-name="Server" header-value="JBoss-EAP/7"/>
<response-header name="x-powered-by-header" header-name="X-Powered-By" header-value="Undertow/1"/>
**Here=>** <response-header name="Content-Security-Policy" header-name="Content-Security-Policy" header-value="default-src 'self'; style-src 'self' 'unsafe-inline'"/>
<response-header name="x-frame-options" header-name="X-Frame-Options" header-value="SAMEORIGIN"/>
<response-header name="x-xss-protection" header-name="X-XSS-Protection" header-value="1; mode=block"/>
<response-header name="x-content-type-options" header-name="X-Content-Type-Options" header-value="nosniff"/>
<response-header name="strict-transport-security" header-name="Strict-Transport-Security" header-value="max-age=31536000; includeSubDomains;"/>
<response-header name="my-custom-header" header-name="my-custom-header" header-value="my-custom-value"/>
</filters>
然后重新启动 WildFly 服务器,jboss-cli 位于 wildfly 的 bin 文件夹中:
./jboss-cli.sh --connect command=:reload
我在使用 Angular4 设置 content-security-policy 时遇到以下错误。
错误:
Refused to connect to 'ws://localhost:4200/sockjs-node/812/lxo2oeas/websocket' because it violates the following Content Security Policy directive: "default-src 'self' 'unsafe-eval'". Note that 'connect-src' was not explicitly set, so 'default-src' is used as a fallback.
Uncaught TypeError: event.data.indexOf is not a function at receiveMessage (out.js:4)
这是我的代码:
<!doctype html>
<html lang="en">
<head>
<meta http-equiv="Content-Security-Policy"
content="default-src 'self' 'unsafe-eval';
style-src 'self' 'unsafe-inline';
script-src 'self' http://localhost:4200 'unsafe-inline' 'unsafe-eval';">
<meta charset="utf-8">
<title>Myapp</title>
<base href="/">
<meta name="viewport" content="width=device-width, initial-scale=1">
<link rel="icon" type="image/x-icon" href="favicon.ico">
</head>
<body>
<app-root></app-root>
</body>
</html>
这里我需要设置 content-security-policy 但出现了这些错误。
您需要明确指出 ws: 源表达式是允许的。
因此,要么将您的 meta 元素更改为:
<meta http-equiv="Content-Security-Policy"
content="default-src 'self' 'unsafe-eval';
style-src 'self' 'unsafe-inline';
script-src 'self' http://localhost:4200 'unsafe-inline' 'unsafe-eval';
connect-src ws:">
…也就是说,添加一个带有 ws: 源表达式的 connect-src 指令。
或者这样做:
<meta http-equiv="Content-Security-Policy"
content="default-src 'self' 'unsafe-eval' ws:;
style-src 'self' 'unsafe-inline';
script-src 'self' http://localhost:4200 'unsafe-inline' 'unsafe-eval';">
…也就是说,将 ws: 源表达式添加到现有的 default-src 指令中。
我在 Angular 9.1.12 部署在 WildFly Server(之前是 JBoss).起初我认为问题出在带有 <meta> 标签 (<meta http-equiv="Content-Security-Policy" content="default-src 'self'; style-src 'self' 'unsafe-inline';'">) 的 index.html 中,但实际上错误出在 WildFly 服务器中,特别是在 response-header设置在standalone.xml.
standalone.xml:
<filters>
<response-header name="server-header" header-name="Server" header-value="JBoss-EAP/7"/>
<response-header name="x-powered-by-header" header-name="X-Powered-By" header-value="Undertow/1"/>
**Here=>** <response-header name="Content-Security-Policy" header-name="Content-Security-Policy" header-value="default-src 'self'; style-src 'self' 'unsafe-inline'"/>
<response-header name="x-frame-options" header-name="X-Frame-Options" header-value="SAMEORIGIN"/>
<response-header name="x-xss-protection" header-name="X-XSS-Protection" header-value="1; mode=block"/>
<response-header name="x-content-type-options" header-name="X-Content-Type-Options" header-value="nosniff"/>
<response-header name="strict-transport-security" header-name="Strict-Transport-Security" header-value="max-age=31536000; includeSubDomains;"/>
<response-header name="my-custom-header" header-name="my-custom-header" header-value="my-custom-value"/>
</filters>
然后重新启动 WildFly 服务器,jboss-cli 位于 wildfly 的 bin 文件夹中:
./jboss-cli.sh --connect command=:reload