提问人:Tushar 提问时间:8/2/2023 最后编辑:Holger JustTushar 更新时间:8/3/2023 访问量:51
Content-Security 标头向我抛出错误
Content-Security Header throwing me error
问:
我通过提供以下指令值作为
style-src:'unsafe-inline" script-src: www.googletagmanager; font-src: 'self' https://fonts.gstatic.com https://fonts.googleapis.com https://cdn.syncfusion.com;
像这样,但抛出我们 G-tag 的错误,即
ReferenceError: gtag is not defined
at m._next (main-es2015.f8382347a5a3c0995032.js:1:7087636)
at m.__tryOrUnsub (main-es2015.f8382347a5a3c0995032.js:1:3347524)
at m.next (main-es2015.f8382347a5a3c0995032.js:1:3346769)
at g._next (main-es2015.f8382347a5a3c0995032.js:1:3345964)
at g.next (main-es2015.f8382347a5a3c0995032.js:1:3345738)
at t.next (main-es2015.f8382347a5a3c0995032.js:1:3350442)
at m._next (main-es2015.f8382347a5a3c0995032.js:1:7046320)
at m.__tryOrUnsub (main-es2015.f8382347a5a3c0995032.js:1:3347524)
at m.next (main-es2015.f8382347a5a3c0995032.js:1:3346769)
at g._next (main-es2015.f8382347a5a3c0995032.js:1:3345964
还向我抛出字体错误,即
Refused to load the font '<URL>' because it violates the following Content Security Policy directive: "font-src data:* https://*".
atlas-dev.centilytics.com/:80
Refused to load the font 'data:application/x-font-ttf;charset=utf-8;base64,AAEAAAAKAIAAAwAgT1MvMjeaTzgAAAEoAAAAVmNtYXD7UP53AAALpAAACpRnbHlm1RHgJwAAIGAAAg9MaGVhZCCrrrwAAADQAAAANmhoZWEIXgZKAAAArAAAACRobXR4JAb+rAAAAYAAAAokbG9jYQKOW2wAABY4AAAKKG1heHADtAHQAAABCAAAACBuYW1lc0cOBgACL6wAAAIlcG9zdMlVyL8AAjHUAAApOgABAAAEAAAAAFwEAP/A/8AEQAABAAAAAAAAAAAAAAAAAAACiQABAAAAAQAAdbd+1l8PPPUACwQAAAAAAN7GNN8AAAAA3sY03//A/+QEQAQcAAAACAACAAEAAAAAAAEAAAKJAcQAIQAAAAAAAgAAAAoACgAAAP8AAAAAAAAAAQQAAZAABQAAAokCzAAAAI8CiQLMAAAB6wAyAQgAAAIABQMAAAAAAAAAAAAAAAAAAA...V4dC1mb3JtLTIFbGFiZWwLY2hlY2stYm94LTITYWRkLWVkaXQtZm9ybS1maWVsZAZidXR0b24LZHJvcC1kb3duLTIMcmFkaW8tYnV0dG9uCHBhc3N3b3JkE3RhYmxlLWluc2VydC1jb2x1bW4QdGFibGUtaW5zZXJ0LXJvdxV0YWJsZS1vdmVyd3JpdGUtY2VsbHMMdGFibGUtbmVzdGVkC3RhYmxlLW1lcmdlCWRyYWctZmlsbARob21lDWdhbnR0LWdyaXBwZXINYnJpbmctdG8tdmlldw9icmluZy10by1jZW50ZXIHd2FybmluZw1jcml0aWNhbC1wYXRoD2JvcmRlci1zaGFkb3ctMhJib3JkZXItZGlhZ29uYWwtdXAUYm9yZGVyLWRpYWdvbmFsLWRvd24NYm9yZGVyLWN1c3RvbQ1ib3JkZXItbm9uZS0xCmJvcmRlci1ib3gPYm9yZGVyLXNoYWRvdy0xBWF1ZGlvBXZpZGVvAAAAAA==' because it violates the following Content Security Policy directive: "font-src data:* https://*".
Refused to load the font 'data:application/x-font-ttf;charset=utf-8;base64,AAEAAAAKAIAAAwAgT1MvMjeaTzgAAAEoAAAAVmNtYXD7UP53AAALpAAACpRnbHlm1RHgJwAAIGAAAg9MaGVhZCCrrrwAAADQAAAANmhoZWEIXgZKAAAArAAAACRobXR4JAb+rAAAAYAAAAokbG9jYQKOW2wAABY4AAAKKG1heHADtAHQAAABCAAAACBuYW1lc0cOBgACL6wAAAIlcG9zdMlVyL8AAjHUAAApOgABAAAEAAAAAFwEAP/A/8AEQAABAAAAAAAAAAAAAAAAAAACiQABAAAAAQAAdbd+1l8PPPUACwQAAAAAAN7GNN8AAAAA3sY03//A/+QEQAQcAAAACAACAAEAAAAAAAEAAAKJAcQAIQAAAAAAAgAAAAoACgAAAP8AAAAAAAAAAQQAAZAABQAAAokCzAAAAI8CiQLMAAAB6wAyAQgAAAIABQMAAAAAAAAAAAAAAAAAAA...V4dC1mb3JtLTIFbGFiZWwLY2hlY2stYm94LTITYWRkLWVkaXQtZm9ybS1maWVsZAZidXR0b24LZHJvcC1kb3duLTIMcmFkaW8tYnV0dG9uCHBhc3N3b3JkE3RhYmxlLWluc2VydC1jb2x1bW4QdGFibGUtaW5zZXJ0LXJvdxV0YWJsZS1vdmVyd3JpdGUtY2VsbHMMdGFibGUtbmVzdGVkC3RhYmxlLW1lcmdlCWRyYWctZmlsbARob21lDWdhbnR0LWdyaXBwZXINYnJpbmctdG8tdmlldw9icmluZy10by1jZW50ZXIHd2FybmluZw1jcml0aWNhbC1wYXRoD2JvcmRlci1zaGFkb3ctMhJib3JkZXItZGlhZ29uYWwtdXAUYm9yZGVyLWRpYWdvbmFsLWRvd24NYm9yZGVyLWN1c3RvbQ1ib3JkZXItbm9uZS0xCmJvcmRlci1ib3gPYm9yZGVyLXNoYWRvdy0xBWF1ZGlvBXZpZGVvAAAAAA==' because it violates the following Content Security Policy directive: "font-src data:* https://*".
请帮助我或建议我解决这些问题和安全标头得分 A+ 的最佳解决方案
我正在尝试添加 content-security-header 以保护我的应用程序免受 XSS 攻击 我目前的第三方脚本是 google-analytics 脚本、google-font 和 angular-material css,用于在我的应用程序中设置样式
答:
0赞
Halvor Sakshaug
8/3/2023
#1
您可能需要将 data: 和 http://atlas-dev.centilytics.com 添加到 font-src。certilytics.com URL 有些奇怪,因为端口号放错了位置。
但此外,错误消息中的 font-src 指令与您在此处列出的指令不同。这意味着您的页面上可能有多个 CSP(检查响应标头和元标记)。内容需要通过所有 CSP,因此添加另一个策略只会使其更严格。您可能需要查找并修改/删除其他策略。
评论