我不得不将CSP添加到具有内联样式的页面,并避免使用unsafe-inline我正在使用哈希.我添加哈希的技巧只是在Chrome中加载页面,查看错误消息并复制所有建议的哈希值(例如从中<suggested hash>获取Refused to apply inline style because it violates the following Content Security Policy directive: "style-src ...". Either the 'unsafe-inline' keyword, a hash ('<suggested hash>'), or... is required to enable inline execution.).
这解决了Firefox中的问题,但在Chrome中没有.奇怪的是,Chrome似乎并不尊重它本身产生的哈希值.这导致了一个有趣的情况,即Chrome列出包含哈希的策略,表示它不符合,然后建议我添加一个哈希,它在之前打印的策略中.
我的政策:
default-src 'none'; font-src 'self' data:; img-src 'self'; script-src 'self' 'report-sample'; style-src 'self' 'sha256-/3kWSXHts8LrwfemLzY9W0tOv5I4eLIhrf0pT8cU0WI=' 'sha256-47DEQpj8HBSa+/TImW+5JCeuQeRkm5NMpJWZG3hSuFU=' 'sha256-OTeu7NEHDo6qutIWo0F2TmYrDhsKWCzrUgGoxxHGJ8o=' 'sha256-fviu5RwuBYFcCd5CDanhy6NCLufcwvCAbm061aSqhoQ=' 'sha256-wS7xf+bhXBr5EM064hQkAW0vX3ks5VoxbGn+KQC/Vhk=' 'sha256-cxL35Ug49Sl1zHMOdz/r0xinQ6BYGgClHdDCk2XPTzE='; object-src 'self'; connect-src 'self'
这会导致许多错误,例如:
Refused to apply inline style because it violates the following Content Security Policy directive: "style-src 'self' 'sha256-/3kWSXHts8LrwfemLzY9W0tOv5I4eLIhrf0pT8cU0WI=' …