我已经将Google字体的URL添加到我的内容安全策略头文件的字体-src指令中。在Chrome 42中出现了以下错误:
Refused to load the stylesheet 'http://fonts.googleapis.com/css?
family=Open+Sans:300,400,400italic,600,800|Source+Code+Pro' because it violates the
following Content Security Policy directive: "style-src 'self' 'unsafe-inline'".
我的头部字段看起来像这样:
Content-Security-Policy: default-src 'self'; font-src http://fonts.googleapis.com;
style-src 'self' 'unsafe-inline'
http://fonts.googleapis.com返回的是样式表而不是字体。如果你检查它引入的样式表,你会发现有几个@font-face规则从http://fonts.gstatic.com中引用字体。Content-Security-Policy: default-src 'self'; font-src http://fonts.gstatic.com;
style-src 'self' 'unsafe-inline' http://fonts.googleapis.com
如果你和我一样有点困惑,因为每个答案都只是说需要在style-src指令中授权一个URL,却没有展示如何操作,那么这里是完整的标签:
<meta http-equiv="Content-Security-Policy" content="style-src 'self' http://fonts.googleapis.com; font-src 'self' https://fonts.gstatic.com;">
https 版本对我来说是必要的:Content-Security-Policy: default-src 'self'; font-src https://fonts.gstatic.com;
style-src 'self' 'unsafe-inline' https://fonts.googleapis.com