django管理资源策略coep err_blocked_by_response
我的django管理站点的静态文件位于S3存储桶(实际上是数字ocean空间)上,在控制台中,我得到了一个err_blocked_by_by_response.notsameoriginafterdefterdefterdefaultedtosameoriginbycoep
200 )
对这些文件中的任何一个的响应都包含a 未设置交叉原始 - 资源 - 元素错误,该错误说:
要从不同的来源使用此资源,服务器需要在响应标题中指定跨原始资源策略。
我尝试的是:
- 按照错误消息,我尝试在ressources上设置一个响应标头,类似
cross-origin-resource-policy:cross-origin。但是在digitalocean空间中,我无法设置除content-type,cache-control,content-condecoding,content> content-disposition以外的标题。和自定义x-amz-meta-标题。 - 我尝试扩展Django admin/base.html 模板,复制一些
链接标签,并手动设置crossorigin属性。这样,对资源进行了两次查询,一个查询像以前一样被阻止,另一个查询正在工作。标题的唯一区别是设置了Origin。 是否有一种方法告诉Django将Crossorigin属性添加到所有链接>链接和script和imgDJANGO管理模板的标签 - ? ,我想通过将其设置为
不安全来导致阻塞。即使我认为它应该与该政策一起使用,但变化对我不了解的问题没有影响。
我没有尝试的东西:
- 我发现这个教程解释如何在S3响应上设置自定义标题。这个想法是在前面的lambda函数上修改
x-amz -标准标题为标准标头。不确定我是否可以通过Digitalocean函数轻松地复制此内容。
我的解决方法:
- 丑陋的hack是复制所有 django管理模板,并在需要时手动添加
crossorigin属性。
我不知道这是从哪里来的,几周前一切都很好。任何帮助都赞赏。
The static files of my Django admin site are on a S3 bucket (DigitalOcean Spaces actually) and in the Console I get a ERR_BLOCKED_BY_RESPONSE.NotSameOriginAfterDefaultedToSameOriginByCoep 200
In the network panel all the static files are considered 3rd party and blocked for this reason (not same origin)
The response to any one of these files contains a not set cross-origin-resource-policy error which says:
To use this resource from a different origin, the server needs to specify a cross-origin resource policy in the response headers.
What I tried :
- Following the error message, I tried to set a response header on the ressources, something like
Cross-Origin-Resource-Policy: cross-origin. But in a DigitalOcean Spaces I cannot set headers other thanContent-Type,Cache-Control,Content-Encoding,Content-Dispositionand customx-amz-meta-headers. - I tried to extend the Django admin/base.html template, duplicate a few
linktags and manually set acrossoriginattribute to them. This way the resources are queried twice, one query is blocked as before and the other one is working. The only difference in the headers is that theOriginis set. Is there a way to tell Django to add acrossoriginattribute to alllinkandscriptandimgtags of the Django admin templates ? - I tried to remove the
Cross-Origin-Opener-PolicyandCross-Origin-Embeder-Policyheaders on the ingress loadbalancer, which I guess cause the blocking, by setting them tounsafe-none. Even though I think it should work with the policy, the change had no effect on the problem which I don't understand.
What I didn't try:
- I found this tutorial explaining how to set custom headers on S3 Responses. The idea is to have a Lambda function in front modifying a
x-amz-header to a standard header. Not sure I can easily replicate this with DigitalOcean Functions.
My workaround:
- The ugly hack is to duplicate all Django admin templates and manually add a
crossoriginattribute where needed.
I don't know where this comes from, a few weeks ago it was all good. Any help appreciated.
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(1)
使用HTTP 2+,从同一领域提供资产更有效,因为它们可以在单个连接上提供。
Whitenoise是一种流行的解决方案,可以使用最小的配置: https://whitenoise.evans.io/en o/en io/en /稳定/
这为我解决了问题。
感谢Djangoproject的Adam Johnson。
With HTTP 2+ it's more efficient to serve assets from the same domain, as they can be served on a single connection.
Whitenoise is a popular solution for doing so with minimal configuration: https://whitenoise.evans.io/en/stable/
This solved the problem for me.
Thanks to Adam Johnson from djangoproject.