内容安全策略在允许的域中阻止 URI
Content Security Policy is Blocking URI in Allowed Domain
我的 .htaccess 文件中设置了以下内容安全策略:
default-src 'none'; \
form-action 'self'; \
frame-ancestors 'none'; \
font-src 'self' data: fonts.gstatic.com *.fontawesome.com; \
img-src 'self' data: www.google-analytics.com www.facebook.com; \
script-src 'self' 'unsafe-inline' www.google-analytics.com ssl.google-analytics.com www.google.com www.gstatic.com ajax.cloudflare.com www.googletagmanager.com connect.facebook.net *.fontawesome.com; \
style-src 'self' 'unsafe-inline' fonts.googleapis.com *.fontawesome.com; \
connect-src 'self' www.google-analytics.com *.fontawesome.com; \
frame-src www.google.com; \
base-uri 'none'; \
report-uri /csp-report.php
当我访问该站点时,开发人员工具控制台中没有收到任何 CSP 消息。但是,我通过 report-uri 收到这样的报告:
blocked-uri: https://www.google-analytics.com/analytics.js
document-uri: https://URL.com/
original-policy: default-src 'none'; form-action 'self'; frame-ancestors 'none'; font-src 'self' data: https://fonts.gstatic.com https://*.fontawesome.com; img-src 'self' data: https://www.google-analytics.com https://www.facebook.com; script-src 'self' 'unsafe-inline' https://www.google-analytics.com https://ssl.google-analytics.com https://www.google.com https://www.gstatic.com https://ajax.cloudflare.com https://www.googletagmanager.com https://connect.facebook.net https://*.fontawesome.com; style-src 'self' 'unsafe-inline' https://fonts.googleapis.com https://*.fontawesome.com; connect-src 'self' https://www.google-analytics.com https://*.fontawesome.com; frame-src https://www.google.com; base-uri 'none'; report-uri https://URL.com/csp-report.php
referrer:
violated-directive: script-src
始终是相同的 URI https://www.google-analytics.com/analytics.js 被阻止,我不明白为什么。这是由于用户端的某些东西阻止了 Google 分析吗?
我遇到了同样的问题。我能够追溯到基于此 SO answer.
的浏览器扩展
TL;DR;是浏览器扩展加载 google 分析并且它们被 CSP 阻止但它显示好像它源自您的站点。
我的 .htaccess 文件中设置了以下内容安全策略:
default-src 'none'; \
form-action 'self'; \
frame-ancestors 'none'; \
font-src 'self' data: fonts.gstatic.com *.fontawesome.com; \
img-src 'self' data: www.google-analytics.com www.facebook.com; \
script-src 'self' 'unsafe-inline' www.google-analytics.com ssl.google-analytics.com www.google.com www.gstatic.com ajax.cloudflare.com www.googletagmanager.com connect.facebook.net *.fontawesome.com; \
style-src 'self' 'unsafe-inline' fonts.googleapis.com *.fontawesome.com; \
connect-src 'self' www.google-analytics.com *.fontawesome.com; \
frame-src www.google.com; \
base-uri 'none'; \
report-uri /csp-report.php
当我访问该站点时,开发人员工具控制台中没有收到任何 CSP 消息。但是,我通过 report-uri 收到这样的报告:
blocked-uri: https://www.google-analytics.com/analytics.js
document-uri: https://URL.com/
original-policy: default-src 'none'; form-action 'self'; frame-ancestors 'none'; font-src 'self' data: https://fonts.gstatic.com https://*.fontawesome.com; img-src 'self' data: https://www.google-analytics.com https://www.facebook.com; script-src 'self' 'unsafe-inline' https://www.google-analytics.com https://ssl.google-analytics.com https://www.google.com https://www.gstatic.com https://ajax.cloudflare.com https://www.googletagmanager.com https://connect.facebook.net https://*.fontawesome.com; style-src 'self' 'unsafe-inline' https://fonts.googleapis.com https://*.fontawesome.com; connect-src 'self' https://www.google-analytics.com https://*.fontawesome.com; frame-src https://www.google.com; base-uri 'none'; report-uri https://URL.com/csp-report.php
referrer:
violated-directive: script-src
始终是相同的 URI https://www.google-analytics.com/analytics.js 被阻止,我不明白为什么。这是由于用户端的某些东西阻止了 Google 分析吗?
我遇到了同样的问题。我能够追溯到基于此 SO answer.
的浏览器扩展TL;DR;是浏览器扩展加载 google 分析并且它们被 CSP 阻止但它显示好像它源自您的站点。