带有 iframe 块的内容安全策略

Content Security Policy with an Iframe block

我创建了一个带有 iframe 元素的网站,但我在内容安全策略方面遇到问题,我已经创建了一个,但我仍然遇到问题。我网站的 link 是 https://daniellop.me/comments

我遇到的错误如下:

[Error] The source list for Content Security Policy directive 'script-src' contains an invalid source: ''report-sample''. It will be ignored.
[Error] The source list for Content Security Policy directive 'style-src' contains an invalid source: ''report-sample''. It will be ignored.

[Error] The Content Security Policy directive 'report-uri' is ignored when delivered via an HTML meta element.
[Error] Unrecognized Content-Security-Policy directive 'worker-src'.

[Error] Refused to load https://c.daniellop.me/js/iframeResizer.min.js because it does not appear in the script-src directive of the Content Security Policy.
[Error] Refused to apply a stylesheet because its hash, its nonce, or 'unsafe-inline' does not appear in the style-src directive of the Content Security Policy. (comments.html, line 1)
[Error] The source list for Content Security Policy directive 'script-src' contains an invalid source: ''report-sample''. It will be ignored.

[Error] The source list for Content Security Policy directive 'style-src' contains an invalid source: ''report-sample''. It will be ignored.
[Error] Unrecognized Content-Security-Policy directive 'worker-src'.

[Info] Successfully preconnected to https://api.github.com/
[Error] Refused to load https://c.daniellop.me/en/widget?origin=https%3A%2F%2Fdaniellop.me%2Fcomments.html&session=ed4607482497cb466430f139%2BkgtddmKtaL8RbU%2FqGlagBFJqTeszuxjVT8vCzWLJOH1fuMPdKGfO2XE8xBrfJ%2BzXBXrZIUZ0LSQXt64xi7hZ7MO666GzN6notYDPb64gNQNwAWgiCrimp2f5yU%3D&theme=light&reactionsEnabled=0&emitMetadata=0&repo=daniellop1%2Fcomments&repoId=R_kgDOGmDcFQ&category=Comment&categoryId=DIC_kwDOGmDcFc4CAirK&description=&term=Main+comment+page because it does not appear in the frame-ancestors directive of the Content Security Policy.

我当前的内容安全策略

<meta http-equiv="Content-Security-Policy" content="default-src 'self';
script-src 'report-sample' 'self' https://c.daniellop.me/client.js;
style-src 'report-sample' 'self' https://cdn.daniellop.me;
object-src 'none';
base-uri 'self';
connect-src 'self';
font-src 'self';
frame-src 'self' https://c.daniellop.me;
img-src 'self';
manifest-src 'self';
media-src 'self';
report-uri https://61d813c6adaa4253cc595f23.endpoint.csper.io/?v=2;
worker-src 'none';">

错误的主要来源是您使用的是 CSP 级别 3 的功能,而您的浏览器可能只与 CSP 级别 2 兼容。'report-sample' 和 worker-src 仅在级别 3 中可用。在第 3 级支持增加之前,您目前可能应该坚持使用第 2 级。

您正在元标记中设置 CSP。某些指令只能在作为响应传送时在 CSP 中设置 header,report-uri 因此失败。

您在 comments.html 中的内联样式违反了当前政策。

您通常应该只在源列表中包含主机,并且应该替换 https://c.daniellop.me/client.js with c.daniellop.me or https://c.daniellop.me

还有一个frame-ancestors违规。由于 frame-ancestors 在元标记中被忽略,因此必须在响应 header 中设置另一个 CSP。请记住,如果站点 A 正在构建站点 B,站点 A 的 frame-src 将决定是否可以接受框架 B,而 B 的 frame-ancestors 将决定是否可以接受被 A 构建。