问题描述
我收到此错误,但我不知道为什么,我包含的脚本有效吗?而且错误仅在我加载子页面时显示.当我加载起始页时不行.所以我我做错了什么?
Im getting this error and I don´t know why, the scripts that I have included works?And the error only shows up when I load a subpage. Not when I load the startpage.So what Im I doing wrong?
The source list for Content Security Policy directive 'script-src' contains an invalid source: ''strict-dynamic''. It will be ignored.
<meta http-equiv="Content-Security-Policy" content="script-src * 'unsafe-inline' 'unsafe-eval' https://checkout.dibspayment.eu https://www.google-analytics.com https://maps.google.com;">
非常感谢任何输入.
推荐答案
这不是错误,只是警告您的浏览器不支持'strict-dynamic'
令牌.(猜测您使用的是Safari).
It's not an error, just a warning that you browser does not support the 'strict-dynamic'
token. (guess you use Safari).
我猜想子页面是Google的一些iframe(oAuth2,reCaptcha等).iframe发布自己的CSP,其中包含'strict-dynamic'
令牌,并且此CSP是在浏览器中创建的向后兼容模式(Google会这样).
I guess that subpage is a some Google's iframe (oAuth2, reCaptcha, etc). That iframe publush it's own CSP wich contains the 'strict-dynamic'
token and this CSP was created in browsers backward compatibility mode (Google make such).
这是来自第三方CSP的警告,而不是您的警告.
That's a warning from third-party CSP, not your's.
您的父页面具有自己的CSP,该CSP允许脚本.嵌套浏览上下文(iframe)的CSP不会影响父页面( frame-ancestors 指令.
Your parent page has own CSP which allows scripts. The CSP of nested browsing context (iframe) does not affects parent page (except the frame-ancestors directive).
什么都没有.这是内容安全策略的预期正常工作.
每个浏览上下文可以具有自己的CSP.但是所有警告将流向一个浏览器控制台,这是误导.
Nothing. It's an intended regular work of Content Security Policy.
Each browsing context can have its own CSP. But all warns will flow to one browser console, and that is mislead.
这篇关于如何修复“内容安全策略-包含无效来源"错误?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持!