在我的电子应用程序中,我得到了CSS跨来源策略
Refused to load the stylesheet 'https://fonts.googleapis.com/css2?family=Roboto:wght@400;500;700&display=swap' because it violates the following Content Security Policy directive: "default-src 'self' 'unsafe-inline' data:". Note that 'style-src-elem' was not explicitly set, so 'default-src' is used as a fallback.
Refused to load the font 'https://cdn.scaleflex.it/plugins/filerobot-image-editor/assets/fonts/filerobot-image-editor-font/v5/filerobot-image-editor-font.ttf?ua0hzun3' because it violates the following Content Security Policy directive: "default-src 'self' 'unsafe-inline' data:". Note that 'font-src' was not explicitly set, so 'default-src' is used as a fallback.
Refused to load the font 'https://cdn.scaleflex.it/plugins/filerobot-image-editor/assets/fonts/filerobot-image-editor-font/v5/filerobot-image-editor-font.woff?ua0hzun3' because it violates the following Content Security Policy directive: "default-src 'self' 'unsafe-inline' data:". Note that 'font-src' was not explicitly set, so 'default-src' is used as a fallback.
所以我尝试了这样的东西:
<meta http-equiv="Content-Security-Policy"
content="
default-src 'self' https://cdn.scaleflex.it https://fonts.googleapis.com 'unsafe-eval' 'unsafe-inline';
style-src 'self' https://cdn.scaleflex.it https://fonts.googleapis.com 'unsafe-eval' 'unsafe-inline';
style-src-elem 'self' https://cdn.scaleflex.it https://fonts.googleapis.com 'unsafe-eval' 'unsafe-inline';
font-src 'self' https://cdn.scaleflex.it https://fonts.googleapis.com 'unsafe-eval' 'unsafe-inline';
"
/>
但它给了我这样的东西:
Refused to load the stylesheet 'https://fonts.googleapis.com/css2?family=Roboto:wght@400;500;700&display=swap' because it violates the following Content Security Policy directive: "default-src 'self' 'unsafe-inline' data:". Note that 'style-src-elem' was not explicitly set, so 'default-src' is used as a fallback.
Refused to load the stylesheet 'https://fonts.googleapis.com/css2?family=Roboto:wght@400;500;700&display=swap' because it violates the following Content Security Policy directive: "default-src 'self' 'unsafe-inline' data:". Note that 'style-src-elem' was not explicitly set, so 'default-src' is used as a fallback.
Refused to load the font 'https://cdn.scaleflex.it/plugins/filerobot-image-editor/assets/fonts/filerobot-image-editor-font/v5/filerobot-image-editor-font.ttf?ua0hzun3' because it violates the following Content Security Policy directive: "default-src 'self' 'unsafe-inline' data:". Note that 'font-src' was not explicitly set, so 'default-src' is used as a fallback.
Refused to load the font 'https://cdn.scaleflex.it/plugins/filerobot-image-editor/assets/fonts/filerobot-image-editor-font/v5/filerobot-image-editor-font.woff?ua0hzun3' because it violates the following Content Security Policy directive: "default-src 'self' 'unsafe-inline' data:". Note that 'font-src' was not explicitly set, so 'default-src' is used as a fallback.
但根据大多数答案,这是可行的。比如:ans1,ans2。
关键点在:
- ,因为它违反了以下内容安全策略指令:">默认src"self"unsafe inline"数据:">
- 请注意,没有显式设置">font src">/请注意,">样式src-elem'没有显式设定
而元标记中有font-src和style-src/style-src-elem指令。
这意味着它不是你的元标签做阻塞的CSP,而是其他一些CSP。如果发布了多个CSP,则所有源都应通过所有CSP才能被允许。
检查您是否使用electron-forge/plugin-webpack插件(或类似的插件(-这些插件可以添加具有自己默认CSP的元标记。在这种情况下,您将在HTML代码中看到2个<meta http-equiv="Content-Security-Policy"...元标记。
此外,开发模式下的Electron可以通过HTTP头发布CSP,你可以检查它或在你的项目中搜索这样的代码:
session.defaultSession.webRequest.onHeadersReceived((details, callback) => {
callback({ responseHeaders: Object.assign({
...details.responseHeaders,
"Content-Security-Policy": [ "default-src 'self'" ]
}, details.responseHeaders)});
});
在任何情况下,您都需要对已发布的CSP进行更改,而不是添加新的CSP。
注意:
style-src-elem指令中不支持'unsafe-eval'令牌- CCD_ 10指令中不支持CCD_ 8和CCD_。您可以删除这些