这是服务器端CSP问题。在NGINX中,由于我的内容安全策略标题给我一个困难的时光,我正在遇到许多问题。
[root@www1 ~]# service nginx reload
nginx: [emerg] unknown directive "script-src" in /etc/nginx/conf.d/ssl.conf:15
nginx: configuration file /etc/nginx/nginx.conf test failed
我已经重写并重写了此策略,可能是8次,但是Nginx不会接受它。nginx版本为nginx/1.10.2,CentOS 6.8,内核2.6.32-642.13.1.el6.x86_64
server {
[...] //Stuff
add_header Content-Security-Policy:"default-src 'self';script-src 'self' 'unsafe-inline' https://bam.nr-data.net https://js-agent.newrelic.com https://cdn.mxpnl.com https://ajax.cloudflare.com https://*.redacted.co;style-src 'self' https://*.redacted.co;img-src *;font-src 'self' https://*.redacted.co https://cloud.typography.com; object-src 'none';frame-src 'none';upgrade-insecure-requests;";
add_header Strict-Transport-Security "max-age=63072000; includeSubdomains; ";
add_header X-Frame-Options "DENY";
add_header X-XSS-Protection "1; mode=block";
[...] //Stuff
}
我很明显吗?
看起来我在不应该有的地方加了一个结肠。删除,突然nginx很高兴。
add_header Content-Security-Policy:应该是 add_header Content-Security-Policy