我正在努力实现谷歌服务在CSP。这是为我的网站https://maxwink.com。该网站是用自定义php构建的。
我使用的指令是Header set Content-Security-Policy "Content-Security-Policy: script-src 'self' 'unsafe-eval' https://www.google-analytics.com 'unsafe-eval' 'unsafe-inline' https://*.googletagmanager.com https://tagmanager.google.com/ https://*.google.com;"
错误是
Error with Permissions-Policy header: Parse of permissions policy failed because of errors reported by structured header parser.The Content-Security-Policy directive name 'Content-Security-Policy:' contains one or more invalid characters. Only ASCII alphanumeric characters or dashes '-' are allowed in directive names.Refused to load the script 'https://www.googletagmanager.com/gtag/js?id=XXXX' because it violates the following Content Security Policy directive: "default-src 'self'". Note that 'script-src-elem' was not explicitly set, so 'default-src' is used as a fallback.Refused to load the script 'https://www.google-analytics.com/analytics.js' because it violates the following Content Security Policy directive: "default-src 'self'". Note that 'script-src-elem' was not explicitly set, so 'default-src' is used as a fallback.
我请求你帮我一下。我完全迷路了
似乎主要问题是您定义了两个不同的内容安全策略,另一个被注释掉了。
你设置了这个响应头:
content-security-policy: Content-Security-Policy: script-src 'self' 'unsafe-eval' https://www.google-analytics.com 'unsafe-eval' 'unsafe-inline' https://*.googletagmanager.com https://tagmanager.google.com/ https://*.google.com;
你设置了这个meta标签:
<meta http-equiv="Content-Security-Policy" content="default-src 'self'; img-src https://*; child-src 'none'; style-src 'self' 'unsafe-inline'">
这个元标签被注释掉
<!-- <meta http-equiv="Content-Security-Policy" content="default-src 'self' 'unsafe-inline' googletagmanager.com; script-src 'self' 'unsafe-inline' googletagmanager.com *.hotjar.com img-src: www.googletagmanager.com; frame-ancestors 'none'; object-src 'none'"> -->
问题是:
- 有多个策略的内容需要通过所有的策略,添加的越多越严格。除非有需要多个策略来解决的高级场景,否则只使用一个策略。
- 您已经包含了文字"Content-Security-Policy:">
如果使用注释删除策略,请删除"img-src:">
中的冒号