问题描述

我的 .htaccess 文件中设置了以下内容安全策略:

I have the following content security policy set in my .htaccess file:

default-src 'none'; \
        form-action 'self'; \
        frame-ancestors 'none'; \
        font-src 'self' data: fonts.gstatic.com *.fontawesome.com; \
        img-src 'self' data: www.google-analytics.com www.facebook.com; \
        script-src 'self' 'unsafe-inline' www.google-analytics.com ssl.google-analytics.com www.google.com www.gstatic.com ajax.cloudflare.com www.googletagmanager.com connect.facebook.net *.fontawesome.com; \
        style-src 'self' 'unsafe-inline' fonts.googleapis.com *.fontawesome.com; \
        connect-src 'self' www.google-analytics.com *.fontawesome.com; \
        frame-src www.google.com; \
        base-uri 'none'; \
        report-uri /csp-report.php

当我访问该站点时，在开发人员工具控制台中没有任何CSP消息.但是，我是通过 report-uri 来获取报告的，就像这样:

When I visit the site, I don't get any CSP messages in the developer tools console. However, I am getting reports via my report-uri like this:

blocked-uri: https://www.google-analytics.com/analytics.js
document-uri: https://URL.com/
original-policy: default-src 'none'; form-action 'self'; frame-ancestors 'none'; font-src 'self' data: https://fonts.gstatic.com https://*.fontawesome.com; img-src 'self' data: https://www.google-analytics.com https://www.facebook.com; script-src 'self' 'unsafe-inline' https://www.google-analytics.com https://ssl.google-analytics.com https://www.google.com https://www.gstatic.com https://ajax.cloudflare.com https://www.googletagmanager.com https://connect.facebook.net https://*.fontawesome.com; style-src 'self' 'unsafe-inline' https://fonts.googleapis.com https://*.fontawesome.com; connect-src 'self' https://www.google-analytics.com https://*.fontawesome.com; frame-src https://www.google.com; base-uri 'none'; report-uri https://URL.com/csp-report.php
referrer:
violated-directive: script-src

它总是被阻止的相同URI， https://www.google-analytics.com/analytics.js ，我不知道为什么.是因为用户端阻止了Google Analytics(分析)?

It is always the same URI, https://www.google-analytics.com/analytics.js that is being blocked, and I can't figure out why. Is this due to something on the user's end blocking Google Analytics?

推荐答案

我遇到了同样的问题.我能够根据 SO答案将其追溯到浏览器扩展.

I had the same issue. I was able to trace this down to browser extensions based on this SO answer.

TL; DR;是因为浏览器扩展程序加载了Google Analytics(分析)，并且被CSP阻止，但它似乎好像源自您的网站之外.

TL;DR; is that browser extensions load up google analytics and they get blocked by CSP but it shows as if it originated out of your site.

这篇关于内容安全策略正在阻止允许域中的URI的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持！