我在这里的配置有问题。我试图应用一个准确的CSP策略,它在尝试加载我的react应用程序时不断抛出错误。
我的CSP策略
"script-src 'strict-dynamic' 'nonce-rAnd0m123' 'unsafe-inline' https://staging.example.org staging.example.org example.org *.example.org *.gstatic.com *.googleapis.com *.google.com *.amazonaws.com *.myservice.io google-analytics.com *.google-analytics.com *.algolianet.com algolianet.com algolia.net *.algolia.net http: https:;
object-src 'none';
base-uri example.org *.example.org;
require-trusted-types-for 'script';
report-uri 'none';
font-src https://staging.example.org staging.example.org example.org *.example.org *.gstatic.com *.googleapis.com *.google.com *.amazonaws.com *.myservice.io google-analytics.com *.google-analytics.com *.algolianet.com algolianet.com algolia.net *.algolia.net;
manifest-src 'self' https://staging.example.org staging.example.org example.org *.example.org *.gstatic.com *.googleapis.com *.google.com *.amazonaws.com *.myservice.io google-analytics.com *.google-analytics.com *.algolianet.com algolianet.com algolia.net *.algolia.net"
错误
Refused to load the script 'https://staging.example.org/static/js/2.d7.chunk.js' because it violates the following Content Security Policy directive: "script-src 'strict-dynamic' 'nonce-rAnd0m123' 'unsafe-inline' {... } 'strict-dynamic' is present, so host-based allowlisting is disabled. Note that 'script-src-elem' was not explicitly set, so 'script-src' is used as a fallback.
我已经尝试将脚本src-elem设置为example.org和上面应用的许多变体,但我仍然会遇到这个错误。
注意:它不是example.org,只是取代了我的网站。
"限制动态"取消所有基于主机的源(http:https:inclusive(。因此,您必须通过"nonce"令牌允许这些源:
<script src="https://staging.example.org/static/js/2.d7.chunk.js" nonce="rAnd0m123">
作为所有内联<scrpt>块(因为"严格动态"也取消了"不安全内联"令牌(:
<script nonce="rAnd0m123">
// some code here
</scrpt>
此外,报表uri不支持"none"令牌,因此指令将被忽略。
你还有一些额外的:
staging.example.org主机源代码由字体src/script src/manifest src指令中的*.example.org覆盖https://staging.example.org:由脚本src指令中的https:覆盖http: https:共同覆盖任何基于主机的源(使用ws:或wss:的源除外(