“[仅报告]拒绝加载字体...”控制台上的错误消息
“[仅报告]拒绝加载字体...”控制台上的错误消息
提问于 2014-10-26 19:22:27
更确切地说:
[Report Only] Refused to load the font 'data:application/x-font-woff;charset=utf-8;base64,d09GRgABAAAAABBQAAoAAAAAG…H8zVsjnmMx0GcZ2HGViNOySWEa9fvEQtW43Nm+EOO0ZIpdLbMXoVzPJkcfHT6U+gLEpz/MAAAA' because it violates the following Content Security Policy directive: "font-src 'self'".这是我在environment.js上的contentSecurityPolicy对象
contentSecurityPolicy: {
'default-src': "'none'",
'script-src': "'self' 'unsafe-inline' 'unsafe-eval' connect.facebook.net",
'connect-src': "'self'",
'img-src': "'self' www.facebook.com",
'style-src': "'self' 'unsafe-inline'",
'frame-src': "s-static.ak.facebook.com static.ak.facebook.com www.facebook.com",
'report-uri': "http://localhost:4200"
},有什么问题吗?
回答 3
Stack Overflow用户
回答已采纳
发布于 2014-10-27 00:08:05
添加'font-src': "data:",以将加载的字体列入白名单。
Stack Overflow用户
发布于 2017-04-10 22:08:57
我已经花了相当多的时间试图弄清楚为什么我的聚合物代码的构建版本在火狐和safari中违反了我的CSP (适用于chrome),事实证明,由于聚合物组件包含内联脚本,它们可以导致CSP问题,这些问题不能使用火狐和safari的'unsafe- inline‘和'unsafe-eval’头文件来解决,但是如果你的脚本CSP包含data:,这将允许在聚合物构建过程中编译的内联脚本在您的web应用程序上运行,而不会违反CSP。我想我会在这里分享,因为这个答案帮助我解决了我的问题。
Stack Overflow用户
发布于 2019-06-07 23:16:19
您可能需要考虑使用coma ',‘来分隔您的例外:
这是发布在网站上的示例:https://github.com/helmetjs/csp
const csp = require('helmet-csp')
app.use(csp({
// Specify directives as normal.
directives: {
defaultSrc: ["'self'", 'default.com'],
scriptSrc: ["'self'", "'unsafe-inline'"],
styleSrc: ['style.com'],
fontSrc: ["'self'", 'fonts.com'],
imgSrc: ['img.com', 'data:'],
sandbox: ['allow-forms', 'allow-scripts'],
reportUri: '/report-violation',
objectSrc: ["'none'"],
upgradeInsecureRequests: true,
workerSrc: false // This is not set.
},
// This module will detect common mistakes in your directives and throw errors
// if it finds any. To disable this, enable "loose mode".
loose: false,
// Set to true if you only want browsers to report errors, not block them.
// You may also set this to a function(req, res) in order to decide dynamically
// whether to use reportOnly mode, e.g., to allow for a dynamic kill switch.
reportOnly: false,
// Set to true if you want to blindly set all headers: Content-Security-Policy,
// X-WebKit-CSP, and X-Content-Security-Policy.
setAllHeaders: false,
// Set to true if you want to disable CSP on Android where it can be buggy.
disableAndroid: false,
// Set to false if you want to completely disable any user-agent sniffing.
// This may make the headers less compatible but it will be much faster.
// This defaults to `true`.
browserSniff: true
}))页面原文内容由Stack Overflow提供。腾讯云小微IT领域专用引擎提供翻译支持
原文链接:
https://stackoverflow.com/questions/26572418
复制相关文章
相似问题
腾讯云开发者
