我的nginx.conf中有以下内容
add_header Content-Security-Policy
"default-src 'self';
img-src 'self' 'unsafe-inline' 'unsafe-eval' data: *.printfriendly.com *.w.org *.gravatar.com *.vimeocdn.com;
script-src 'self' 'unsafe-inline' 'unsafe-eval' *.w.org *.gravatar.com *.googleapis.com *.jsdelivr.net *.printfriendly.com *.kxcdn.com *.vimeocdn.com *.hs-analytics.net *.securitymetrics.com *.google-analytics.com;
style-src 'self' 'unsafe-inline' *.googleapis.com *.bootstrapcdn.com *.gstatic.com *.vimeocdn.com;
font-src 'self' data: *.googleapis.com *.bootstrapcdn.com *.gstatic.com *.googleapis.com;
frame-src 'self' *.vimeocdn.com *.vimeo.com;
object-src 'self'";
(我不得不多行才能使其清晰易读...
但是,在我的网站上,我仍然收到此错误:
Content Security Policy: The page’s settings blocked the loading of a resource at http://netdna.bootstrapcdn.com/font-awesome/3.2.1/css/font-awesome.css (“style-src”).
知道为什么会发生这种情况,当它被列入白名单时?
正如@tarun-lalwani所提到的,另一个块中的任何add_header
指令都很重要。更准确地说,如果在后代块中使用add_header
(对于任何标头(,则此内容安全策略将在此类后代块中丢弃。
文档摘录:
这些指令继承自上一级当且仅当 当前级别上没有定义
add_header
指令。
为了避免代码复制(DRY(,可以使用变量或include
指令(或在广泛的情况下生成nginx配置(。
以防万一,在实际配置中不应使用多行标头值。通过curl -I https://example.com/path
检查服务器响应。为了在配置中提高可读性,可以使用变量。
例:
set $CSP_image "img-src 'self' 'unsafe-inline' 'unsafe-eval' data: *.printfriendly.com *.w.org *.gravatar.com *.vimeocdn.com; ";
set $CSP_script "script-src 'self' 'unsafe-inline' 'unsafe-eval' *.w.org *.gravatar.com *.googleapis.com *.jsdelivr.net *.printfriendly.com *.kxcdn.com *.vimeocdn.com *.hs-analytics.net *.securitymetrics.com *.google-analytics.com; ";
set $CSP_style "style-src 'self' 'unsafe-inline' *.googleapis.com *.bootstrapcdn.com *.gstatic.com *.vimeocdn.com; ";
set $CSP_font "font-src 'self' data: *.googleapis.com *.bootstrapcdn.com *.gstatic.com *.googleapis.com; ";
set $CSP_frame "frame-src 'self' *.vimeocdn.com *.vimeo.com; ";
set $CSP_object "object-src 'self' ; ";
set $CSP "default-src 'self' ; ${CSP_image} ${CSP_script} ${CSP_style} ${CSP_font} ${CSP_frame} ${CSP_object}";
add_header Content-Security-Policy $CSP;