调用函数和显示图像的内容安全策略问题
不了解我在网站上指定的策略的效果 http://pcrypt.org/dev/groups .php。
header("X-Content-Security-Policy: allow 'self'; img-src *; script-src 'self'; frame-src 'self'; style-src 'self';");
如果我不允许内联脚本,我该如何调用函数。在页面中,我尝试从 onload (body onload='initialize()') 调用位于服务器上 js 文件中的函数,但它生成此错误(抱歉,用丹麦语):
Advarsel: CSP: Directive "inline script base restriction" violated
Kildefil: http://pcrypt.dk/dev/groups.php
Linje: 0
Kildekode:
onload attribute on UNKNOWN element
Works good with "options inline -script;" 添加
也喜欢在 DOM 准备好时调用 initialize(),而不是等待图像加载,但是如何在 CSP 到位的情况下执行此操作?
还认为我需要 "img-src *;" 但根本没有显示任何图像。图像位于同一服务器上?
请帮助我理解。
Do not understand the the effect of the policy I specify at my site http://pcrypt.org/dev/groups.php.
header("X-Content-Security-Policy: allow 'self'; img-src *; script-src 'self'; frame-src 'self'; style-src 'self';");
If I disallow inline scripts how do I then call a function. In the page I have tried to call a function located in a js file on the server from onload (body onload='initialize()') but it generate this error (sorry in Danish):
Advarsel: CSP: Directive "inline script base restriction" violated
Kildefil: http://pcrypt.dk/dev/groups.php
Linje: 0
Kildekode:
onload attribute on UNKNOWN element
Works fine with "options inline-script;" added
Also like to call initialize() when the DOM is ready and not wait for images to load but how do I do this with CSP in place?
Also think that I need "img-src *;" but then no images are show at all. The images are located on the same server?
Please help me to understand.
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(1)
好吧,现在我想我明白了;-)
img-src 'self';现在确实按预期工作了 - 认为我错过了“
当 CSP 就位时,不可能在 HTML 部分中调用任何类型的函数。我必须在 javascript 代码中分配 onclick 事件处理程序等。我相信可以从 HTML 部分调用 JS 函数 - 但事实并非如此。
实际上支持 CSP 需要做很多工作!
OK now I think I got it ;-)
img-src 'self'; does work now as expected - think I was missing ''
It is impossible to call any sort of functions in the HTML part when CSP is in place. I have to assign onclick event handlers etc. in javascript code. I believed it was possible to call a JS function from the HTML part - this is not the case.
Quite a bit of work to support CSP actually!