Cordova - 拒绝执行内联事件处理程序,因为它违反了以下内容安全策略
Cordova - refuse to execute inline event handler because it violates the following content Security policy
我正在接受 Cordova 应用程序开发培训,我解决了内容安全策略的问题。
我的应用程序是 运行 Android 模拟器,但是当我必须执行 javascript 时,我在 NetBeans 中收到一条消息(输出 window)。
Refused to execute inline event handler because it violates the following Content Security Policy directive: "script-src 'self' https://ssl.gstatic.com". (22:35:56:126 | error, security)
at www/index.html:58
我的代码如下。这是我的index.html。
我试图了解 CSP 的工作原理,我想我理解这个概念,但在这种情况下,我不明白这个问题。第58行是评论。
<html>
<head>
<meta http-equiv="Content-Security-Policy" content="default-src 'self' * data: gap: https://ssl.gstatic.com 'unsafe-eval'; style-src 'self'; script-src 'self' https://ssl.gstatic.com; media-src *">
<meta name="format-detection" content="telephone=no">
<meta name="msapplication-tap-highlight" content="no">
<meta name="viewport" content="user-scalable=no, initial-scale=1, maximum-scale=1, minimum-scale=1, width=device-width">
<title>Hello World</title>
<link rel="stylesheet" type="text/css" href="css/index.css">
</head>
<body>
<div class="app">
<h1>Apache Cordova</h1>
<div id="deviceready" class="blink">
<p class="event listening">Connecting to Device</p>
<p class="event received">Device is Ready</p>
</div>
</div>
<!--
line 58
-->
<button onclick="capturePhoto();">Capture Photo</button> <br>
<img style="display:none;width:80px;height:80px;" id="smallImage" src="" />
<img style="display:none;" id="largeImage" src="" />
<script type="text/javascript" src="cordova.js"></script>
<script type="text/javascript" src="js/index.js"></script>
</body>
</html>
预先感谢您的帮助,因为我需要它。
杰罗姆
检查这个 link,它说:
Inline JavaScript will not be executed. This restriction bans both inline <script> blocks and inline event handlers (e.g. button onclick="...").
为避免如下指定的跨站点脚本问题
one.app#/home:1 Refused to execute inline event handler because it violates the following Content
Security Policy directive: "script-src 'self' 'nonce-d452460d-e219-a6e5-5709-c8af6ca82889'
chrome-extension: 'unsafe-inline' 'unsafe-eval' https://sfdc.azureedge.net
*.na34.visual.force.com https://ssl.gstatic.com/accessibility/". Note that 'unsafe-inline'
is ignored if either a hash or nonce value is present in the source list.
选择 event listener functions 而不是 onclick='myFun()"。
<body onload="main();">
<button onclick="clickHandler(this)">
Click for awesomeness!
</button>
</body>
<script>
function clickHandler(element) {
// On click Code
}
function main() {
// Initialization work goes here.
}
</script>
为了使用新浏览器,您需要在编写代码时明确区分内容和行为。
<body>
<button>Click for awesomeness!</button>
</body>
<script src="popup.js"></script>
<!-- popup.js -->
document.addEventListener('DOMContentLoaded', function () {
document.querySelector('button').addEventListener('click', clickHandler);
main();
});
function clickHandler(element) {
// On click Code
}
function main() {
// Initialization work goes here.
}
<!-- popup.js -->
尝试将 img-src * 添加到 Content-Security-Policy 标签:
<meta http-equiv="Content-Security-Policy"
content="default-src 'self' data: gap: https://ssl.gstatic.com 'unsafe-eval'; style-src 'self' 'unsafe-inline'; media-src *; img-src *">
我正在接受 Cordova 应用程序开发培训,我解决了内容安全策略的问题。
我的应用程序是 运行 Android 模拟器,但是当我必须执行 javascript 时,我在 NetBeans 中收到一条消息(输出 window)。
Refused to execute inline event handler because it violates the following Content Security Policy directive: "script-src 'self' https://ssl.gstatic.com". (22:35:56:126 | error, security)
at www/index.html:58
我的代码如下。这是我的index.html。 我试图了解 CSP 的工作原理,我想我理解这个概念,但在这种情况下,我不明白这个问题。第58行是评论。
<html>
<head>
<meta http-equiv="Content-Security-Policy" content="default-src 'self' * data: gap: https://ssl.gstatic.com 'unsafe-eval'; style-src 'self'; script-src 'self' https://ssl.gstatic.com; media-src *">
<meta name="format-detection" content="telephone=no">
<meta name="msapplication-tap-highlight" content="no">
<meta name="viewport" content="user-scalable=no, initial-scale=1, maximum-scale=1, minimum-scale=1, width=device-width">
<title>Hello World</title>
<link rel="stylesheet" type="text/css" href="css/index.css">
</head>
<body>
<div class="app">
<h1>Apache Cordova</h1>
<div id="deviceready" class="blink">
<p class="event listening">Connecting to Device</p>
<p class="event received">Device is Ready</p>
</div>
</div>
<!--
line 58
-->
<button onclick="capturePhoto();">Capture Photo</button> <br>
<img style="display:none;width:80px;height:80px;" id="smallImage" src="" />
<img style="display:none;" id="largeImage" src="" />
<script type="text/javascript" src="cordova.js"></script>
<script type="text/javascript" src="js/index.js"></script>
</body>
</html>
预先感谢您的帮助,因为我需要它。 杰罗姆
检查这个 link,它说:
Inline JavaScript will not be executed. This restriction bans both inline
<script>blocks and inline event handlers(e.g. button onclick="...").
为避免如下指定的跨站点脚本问题
one.app#/home:1 Refused to execute inline event handler because it violates the following Content
Security Policy directive: "script-src 'self' 'nonce-d452460d-e219-a6e5-5709-c8af6ca82889'
chrome-extension: 'unsafe-inline' 'unsafe-eval' https://sfdc.azureedge.net
*.na34.visual.force.com https://ssl.gstatic.com/accessibility/". Note that 'unsafe-inline'
is ignored if either a hash or nonce value is present in the source list.
选择 event listener functions 而不是 onclick='myFun()"。
<body onload="main();">
<button onclick="clickHandler(this)">
Click for awesomeness!
</button>
</body>
<script>
function clickHandler(element) {
// On click Code
}
function main() {
// Initialization work goes here.
}
</script>
为了使用新浏览器,您需要在编写代码时明确区分内容和行为。
<body>
<button>Click for awesomeness!</button>
</body>
<script src="popup.js"></script>
<!-- popup.js -->
document.addEventListener('DOMContentLoaded', function () {
document.querySelector('button').addEventListener('click', clickHandler);
main();
});
function clickHandler(element) {
// On click Code
}
function main() {
// Initialization work goes here.
}
<!-- popup.js -->
尝试将 img-src * 添加到 Content-Security-Policy 标签:
<meta http-equiv="Content-Security-Policy"
content="default-src 'self' data: gap: https://ssl.gstatic.com 'unsafe-eval'; style-src 'self' 'unsafe-inline'; media-src *; img-src *">