Jer*_*ome 6 ruby-on-rails content-security-policy
在给定页面上多次调用以下浏览器控制台错误消息
Refused to apply inline style because it violates the following
Content Security Policy directive: "style-src 'self' https:".
Either the 'unsafe-inline' keyword, a hash ('sha256-1eLkOKTGLdFR92ElIWA31YdS/7E3GLP3GvnXjSvRz+s='),
or a nonce ('nonce-...') is required to enable inline execution.
Note that hashes do not apply to event handlers, style attributes and
javascript: navigations unless the 'unsafe-hashes' keyword is present.
指的是在初始化程序中设置为股票值的问题,加上对用于本地开发目的的 ngrok 地址的引用
Rails.application.configure do
config.content_security_policy do |policy|
policy.default_src :self, :https, 'https://343e-5-170-92-35.eu.ngrok.io'
policy.font_src :self, :https, :data
policy.img_src :self, :https, :data
policy.object_src :none
policy.script_src :self, :https
policy.style_src :self, :https
end
config.content_security_policy_nonce_generator = ->(request) { request.session.id.to_s }
config.content_security_policy_nonce_directives = %w(script-src)
end
这些指令及其机制对于该用户来说相当不透明......并且当涉及内联样式时,当源自自我时,感觉特别毫无意义......添加, :unsafe_inline到 style_src 策略确实会删除它们,但我无法理解内联样式将如何考虑unsafe是否由 生成self。