由于内容安全策略,Facebook Instant Game 无法从 cloudflare.com 加载脚本
Facebook Instant Game fails to load scripts from cloudflare.com due to Content Security Policy
在我的 Facebook Instant Game 中,我尝试从 cloudflare.com 静态加载脚本,例如:
<script src="https://cdnjs.cloudflare.com/ajax/libs/es5-shim/4.5.7/es5-shim.min.js"></script>
<script src="https://cdnjs.cloudflare.com/ajax/libs/gsap/1.20.2/TweenMax.min.js"></script>
<script src="https://cdnjs.cloudflare.com/ajax/libs/pixi.js/4.8.5/pixi.min.js"></script>
但是出现 Chrome 浏览器错误:
Refused to load the script 'https://cdnjs.cloudflare.com/ajax/libs/es5-shim/4.5.7/es5-shim.min.js' because it violates the following Content Security Policy directive: "script-src 'self' 'unsafe-inline' 'unsafe-eval' *.facebook.com connect.facebook.net cdn.mixpnl.com *.google-analytics.com web.localytics.com *.googletagmanager.com blob: *.cloudfront.net *.amazonaws.com *.googleapis.com *.firebaseapp.com *.firebaseio.com *.8686c.com *.cncovs.com *.aliyun.com *.aliyuncs.com *.wsdvs.com *.console.re *.kunlunar.com *.layabox.com *.windows.net *.msecnd.net *.anysdk.com cdn.trackjs.com cdn.firebase.com *.kochava.com *.akamaized.net *.cocos.com *.hinet.net *.playfab.com code.createjs.com *.zdassets.com websdk.appsflyer.com ". Note that 'script-src-elem' was not explicitly set, so 'script-src' is used as a fallback.
有没有办法从 cloudflare 加载脚本?
Content Security Policy 是减轻对 site/app.
的 XSS(cross-site 脚本)攻击的方法之一
要允许您的 site/app 从 cdnjs.cloudflare.com 加载脚本,您需要 add/append Content-Security-Policy 的 script-src 指令中的域HTTP 响应 header.
httpd.conf:
Header set Content-Security-Policy "script-src 'self' ...(snipped)... cdnjs.cloudflare.com;"
nginx.conf:
add_header Content-Security-Policy "script-src 'self' ...(snipped)... cdnjs.cloudflare.com;";
然后确保 运行 在重新加载或重新启动 httpd/nginx 服务之前检查配置。
在我的 Facebook Instant Game 中,我尝试从 cloudflare.com 静态加载脚本,例如:
<script src="https://cdnjs.cloudflare.com/ajax/libs/es5-shim/4.5.7/es5-shim.min.js"></script>
<script src="https://cdnjs.cloudflare.com/ajax/libs/gsap/1.20.2/TweenMax.min.js"></script>
<script src="https://cdnjs.cloudflare.com/ajax/libs/pixi.js/4.8.5/pixi.min.js"></script>
但是出现 Chrome 浏览器错误:
Refused to load the script 'https://cdnjs.cloudflare.com/ajax/libs/es5-shim/4.5.7/es5-shim.min.js' because it violates the following Content Security Policy directive: "script-src 'self' 'unsafe-inline' 'unsafe-eval' *.facebook.com connect.facebook.net cdn.mixpnl.com *.google-analytics.com web.localytics.com *.googletagmanager.com blob: *.cloudfront.net *.amazonaws.com *.googleapis.com *.firebaseapp.com *.firebaseio.com *.8686c.com *.cncovs.com *.aliyun.com *.aliyuncs.com *.wsdvs.com *.console.re *.kunlunar.com *.layabox.com *.windows.net *.msecnd.net *.anysdk.com cdn.trackjs.com cdn.firebase.com *.kochava.com *.akamaized.net *.cocos.com *.hinet.net *.playfab.com code.createjs.com *.zdassets.com websdk.appsflyer.com ". Note that 'script-src-elem' was not explicitly set, so 'script-src' is used as a fallback.
有没有办法从 cloudflare 加载脚本?
Content Security Policy 是减轻对 site/app.
的 XSS(cross-site 脚本)攻击的方法之一要允许您的 site/app 从 cdnjs.cloudflare.com 加载脚本,您需要 add/append Content-Security-Policy 的 script-src 指令中的域HTTP 响应 header.
httpd.conf:
Header set Content-Security-Policy "script-src 'self' ...(snipped)... cdnjs.cloudflare.com;"
nginx.conf:
add_header Content-Security-Policy "script-src 'self' ...(snipped)... cdnjs.cloudflare.com;";
然后确保 运行 在重新加载或重新启动 httpd/nginx 服务之前检查配置。