CSP style-src SHA256 存在,但浏览器发出警告表明它不存在
CSP style-src SHA256 present, but browser issues warning that it isn't
我已将以下 CSP 添加到我的 nginx 配置中:
add_header Content-Security-Policy "default-src 'none'; script-src
'self'; img-src *.gravatar.com; script-src-elem 'self'
'sha256-HeezHnLPgcw5524/5YMbWWQXJ/fdKZsQX5vG7t1UmJw='
'sha256-FVzC2JpGNv45prICvPCadmKf+wnLz6Eem3UQaAnTK/4='
'sha256-Tr3bLHN4KJG2A/qFIDTX+Yb0nG+Z+HS9VAD6k0/r+vY='
'sha256-NYk7Q8DQLjjJRwkQ9oG2juhRXSdsOjLWMy0IpXWymRc='
'sha256-pu6oe0vPSMzzITPF3U0Z8qBWhbBKykixk7D9kFsDySY='; script-src-attr
'self'; style-src
'sha256-0EZqoz+oBhx7gF4nvY2bSqoGyy4zLjNF+SDQXGp/ZrY='; style-src-elem
'self' 'sha256-OyKg6OHgnmapAcgq002yGA58wB21FOR7EcTwPWSs54E='
'sha256-CK/6NyEbsJb3V2Bo26t3s0V3RAi3gTWWrjUNGLIZLfw='
'sha256-hc4UHa0RDFRaKgh++CLvhy5nf4yco/u+xPDeTrTejhg=';";
我的浏览器 (Chrome) 发出以下警告:
Refused to apply inline style because it violates the following
Content Security Policy directive: "style-src 'self'
'sha256-0EZqoz+oBhx7gF4nvY2bSqoGyy4zLjNF+SDQXGp/ZrY='". Either the
'unsafe-inline' keyword, a hash
('sha256-0EZqoz+oBhx7gF4nvY2bSqoGyy4zLjNF+SDQXGp/ZrY='), or a nonce
('nonce-...') is required to enable inline execution. Note that hashes
do not apply to event handlers, style attributes and javascript:
navigations unless the 'unsafe-hashes' keyword is present.
如您所见,散列 style-src 'sha256-0EZqoz+oBhx7gF4nvY2bSqoGyy4zLjNF+SDQXGp/ZrY=' 存在并已设置,但浏览器显示仍有问题。
我无法解决这个问题。有帮助吗?
这里回答得很好:
正如 user27878850 所建议的,您可以添加 'unsafe-hashes',但目前只能在 Chromium 浏览器中使用。
我已将以下 CSP 添加到我的 nginx 配置中:
add_header Content-Security-Policy "default-src 'none'; script-src 'self'; img-src *.gravatar.com; script-src-elem 'self' 'sha256-HeezHnLPgcw5524/5YMbWWQXJ/fdKZsQX5vG7t1UmJw=' 'sha256-FVzC2JpGNv45prICvPCadmKf+wnLz6Eem3UQaAnTK/4=' 'sha256-Tr3bLHN4KJG2A/qFIDTX+Yb0nG+Z+HS9VAD6k0/r+vY=' 'sha256-NYk7Q8DQLjjJRwkQ9oG2juhRXSdsOjLWMy0IpXWymRc=' 'sha256-pu6oe0vPSMzzITPF3U0Z8qBWhbBKykixk7D9kFsDySY='; script-src-attr 'self'; style-src 'sha256-0EZqoz+oBhx7gF4nvY2bSqoGyy4zLjNF+SDQXGp/ZrY='; style-src-elem 'self' 'sha256-OyKg6OHgnmapAcgq002yGA58wB21FOR7EcTwPWSs54E=' 'sha256-CK/6NyEbsJb3V2Bo26t3s0V3RAi3gTWWrjUNGLIZLfw=' 'sha256-hc4UHa0RDFRaKgh++CLvhy5nf4yco/u+xPDeTrTejhg=';";
我的浏览器 (Chrome) 发出以下警告:
Refused to apply inline style because it violates the following Content Security Policy directive: "style-src 'self' 'sha256-0EZqoz+oBhx7gF4nvY2bSqoGyy4zLjNF+SDQXGp/ZrY='". Either the 'unsafe-inline' keyword, a hash ('sha256-0EZqoz+oBhx7gF4nvY2bSqoGyy4zLjNF+SDQXGp/ZrY='), or a nonce ('nonce-...') is required to enable inline execution. Note that hashes do not apply to event handlers, style attributes and javascript: navigations unless the 'unsafe-hashes' keyword is present.
如您所见,散列 style-src 'sha256-0EZqoz+oBhx7gF4nvY2bSqoGyy4zLjNF+SDQXGp/ZrY=' 存在并已设置,但浏览器显示仍有问题。
我无法解决这个问题。有帮助吗?
这里回答得很好:
正如 user27878850 所建议的,您可以添加 'unsafe-hashes',但目前只能在 Chromium 浏览器中使用。