关于jquery:Script导致“拒绝执行内联脚本:需要’unsafe-inline’关键字,散列…或现时才可以启用内联执行”

Script causes “Refused to execute inline script: Either the 'unsafe-inline' keyword, a hash… or a nonce is required to enable inline execution”

我不断收到此错误:

Refused to execute inline script because it violates the following Content Security Policy directive:"default-src 'self' data: gap: http://www.visitsingapore.com https://ssl.gstatic.com 'unsafe-eval'". Either the 'unsafe-inline' keyword, a hash ('sha256-V+/U3qbjHKP0SaNQhMwYNm62gfWX4QHwPJ7We1PXokI='), or a nonce ('nonce-...') is required to enable inline execution. Note also that 'script-src' was not explicitly set, so 'default-src' is used as a fallback.

谁能告诉我如何解决这个问题,这是什么意思? 我的代码是:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
<meta http-equiv="Content-Security-Policy" content="default-src 'self' data:gap: http://www.visitsingapore.com   https://ssl.gstatic.com 'unsafe-eval'; style-src 'self' 'unsafe-inline'; media-src *">
<meta http-equiv="content-type" content="text/html; charset=UTF-8" />
<link rel="stylesheet" type="text/css" href="css/index.css">
<link rel="stylesheet" href="css/jquery.mobile-1.4.5.css">
<script src="lib/jquery-3.2.1.min.js">

<script type="text/javascript" src="scripts/key.js">
$.ajax({
        url: ' http://www.visitsingapore.com/api.listing.en.json',
        type: 'GET',
        beforeSend: function (xhr) {
            xhr.setRequestHeader('email ID', '[email protected]');
            xhr.setRequestHeader('token ID', '-------');
        },
        data: {},
        success: function (qwe12) {
            var TrueResult2 = JSON.stringify(qwe12);
            document.write(TrueResult2);
        },
        error: function () { },
    });

解决此问题的最佳方法是将$.ajax(…)调用从文档中移出并将其移至名为ajax-call.js的外部文件中,然后执行以下操作:

1
<script src="ajax-call.js">

更好的原因是,如果您已经在努力为文档设置CSP策略,那么理想情况下,您应该付出额外的努力来删除所有内联脚本。

但是,如果由于某种原因您确实需要将该脚本保留在文档中的内联位置,则可以更改该meta元素,以便将错误消息中的精确sha256哈希值包括在script-src指令的源中,例如( 加上一些换行符只是为了提高可读性):

1
2
3
4
5
6
7
<meta http-equiv="Content-Security-Policy"
  content="default-src 'self' data:gap: http://www.visitsingapore.com
  https://ssl.gstatic.com 'unsafe-eval';
  style-src 'self' 'unsafe-inline';
  media-src *;
  script-src 'sha256-V+/U3qbjHKP0SaNQhMwYNm62gfWX4QHwPJ7We1PXokI='
">

在几个地方可以获得更多信息:

  • developers.google.com/web/fundamentals/security/csp/#if_you_absolutely_must_use_it
  • www.owasp.org/index.php/Content_Security_Policy_Cheat_Sheet#Refactoring_inline_code