问题描述

我正在使用js插件，该插件在自身内部添加了SVG图像.我已经在网站上添加了CSP策略，但是无法将其配置为允许插件的代码.

I am using the js plugin that adds inside itself SVG images.I have added CSP policy to my website, but I can't configure it to allow plugin's code.

其代码如下:

label=$("<object style='height:10px; width:10px;' type='image/svg+xml' data='data:image/svg+xml;charset=UTF-8," +
"<svg xmlns=\"http://www.w3.org/2000/svg\">" +
"<rect x=\"0\" y=\"0\" some parameters/>"+
"<text>SomeText</text></svg>'></object>");
el.html(label)

我正在寻找一种配置，该配置允许在对象中呈现的SVG图像.我从那里尝试过其他选项- CSP:object-src .

I am looking for a configuration that allows SVG image that is rendered in the object.I am tried different options from there - CSP: object-src.

但是我总是会像下一个一样出现错误:

But I am alway get error like next:

Refused to load plugin data from 'data:image/svg+xml;charset=UTF-8, my svg here' because it violates the following Content Security Policy directive: "object-src 'unsafe-eval'".

在这种情况下如何正确配置CSP?

How to configure CSP correct in this case?

推荐答案

该SVG图像由 data: URL提供，因此必须更新您的CSP策略以允许这样做.

That SVG image is provided by a data: URL, so your CSP policy must be updated to allow that.

您不会显示您当前的策略是什么或您在何处设置它，而是假设您使用 Content-Security-Policy 标头设置了该策略，并且当前具有object-src'unsafe-eval'，那么您可以通过将策略的该部分更新为以下内容来允许 data: URL:

You don’t show what your current policy is or where you’re setting it, but assuming you’re setting it with the Content-Security-Policy header and it currently has object-src 'unsafe-eval', then you can allow data: URLs there by updating that part of the policy to look like this:

Content-Security-Policy: object-src data: 'unsafe-eval'

这仅在 Content-Security-Policy 标头中显示了当前策略的相关部分.无论该标头值中当前有其他指令，您都希望保持原样.

That shows just the relevant part of the current policy in the Content-Security-Policy header. Whatever other directives you currently have in that header value, you’d want to preserve as-is.

这篇关于内容安全政策(CSP):如何在对象中允许SVG图片的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持！