我把我的ember-cli应用升级到0.0.47版本后,在浏览器控制台中遇到了许多与内容安全策略相关的错误。我该如何解决这个问题?
Refused to load the script 'http://use.typekit.net/abcdef.js' because it violates the following Content Security Policy directive: "script-src 'self' 'unsafe-eval' localhost:35729".
login:1
Refused to execute inline script because it violates the following Content Security Policy directive: "script-src 'self' 'unsafe-eval' localhost:35729". Either the 'unsafe-inline' keyword, a hash ('sha256-...'), or a nonce ('nonce-...') is required to enable inline execution.
login:20
Refused to load the script 'http://connect.facebook.net/en_US/all.js' because it violates the following Content Security Policy directive: "script-src 'self' 'unsafe-eval' localhost:35729".
login:1
Refused to load the script 'http://maps.googleapis.com/maps/api/js?libraries=places' because it violates the following Content Security Policy directive: "script-src 'self' 'unsafe-eval' localhost:35729".
这是我的app/index.html文件中的代码行:
<script type="text/javascript" src="//use.typekit.net/abcdef.js"></script>
<script type="text/javascript">try{Typekit.load();}catch(e){}</script>
<script src="http://connect.facebook.net/en_US/all.js"></script>
<script type="text/javascript" src="http://maps.googleapis.com/maps/api/js?libraries=places"></script>
s3.amazonaws.com
,但是在Firefox上出现了奇怪的问题。Chrome看起来运行良好。 - ToddSmithSalter*
允许所有内容。完整列表请参见:http://content-security-policy.com/#source_list - lima_fil*
、unsafe-eval
或unsafe-inline
的 CSP 实际上是无用的。而且您必须检查和列入白名单由您运行的外部脚本加载的内容,而不仅仅是脚本本身,这是显而易见的。 - LocalPCGuy