问题描述
我遇到了许多Github网站,这些网站没有显示嵌入的图像.通过页面检查,我得到:
I experience a multitude of Github sites where the embedded images are not shown. By page inspection i get:
示例:
Refused to load the image '<URL>' because it violates the following Content Security Policy directive: "img-src 'self' data: github.githubassets.com identicons.github.com collector.githubapp.com github-cloud.s3.amazonaws.com *.githubusercontent.com".
Refused to load the image 'https://raw.githubusercontent.com.x.f7905b88047890475409fdb099cfa2fdcd23.9270fc5e.id.opendns.com/s/raw.githubusercontent.com/othneildrew/Best-README-Template/master/images/screenshot.png?X-OpenDNS-Session=_f7905b88047890475409fdb099cfa2fdcd239270fc5e_tzftKMMb_' because it violates the following Content Security Policy directive: "img-src 'self' data: github.githubassets.com identicons.github.com collector.githubapp.com github-cloud.s3.amazonaws.com *.githubusercontent.com".
以下页面工作正常: Vue , Tensorflow , FreeCodeCamp .
The following pages works fine:Vue, Tensorflow, FreeCodeCamp.
以上适用于Chrome,但适用于Edge.我仅在我的公司PC上(甚至在公司VPN之外)也看到了这些问题.
Above is for Chrome, but same issue for Edge.I only see these issues on my corporate PC (even outside the corporate VPN).
- 哪个安全策略导致此问题?(浏览器设置,防火墙/防病毒软件?)
- 为什么有些页面失败而其他页面却没有?
- 出现故障的站点是否确实会造成安全风险(例如XSS),并且应该针对出现故障的Github站点或一般的Github是否存在未解决的问题?
推荐答案
您不是从raw.githubusercontent.com而是从raw.githubusercontent.com.x.f7905b88047890475409fdb099cfa2fdcd23.9270fc5e.id.opendns.com加载图像.可能是您的公司PC进行了一些重写,以通过opendns.com过滤图像.您可能需要添加"* .id.opendns.com"或"* .opendns.com"到img-src以在此特定环境中工作.
You are not loading your images from raw.githubusercontent.com but from raw.githubusercontent.com.x.f7905b88047890475409fdb099cfa2fdcd23.9270fc5e.id.opendns.com. It could be that your corporate PC does some rewrites to filter images through opendns.com. You would likely need to add "*.id.opendns.com" or "*.opendns.com" to img-src to work in this specific environment.
如果您监视CSP报告,您会发现公司安全产品经常进行修改,从而导致CSP违规.
If you monitor CSP reports you will see that corporate security products often makes modifications that causes CSP violations.
这篇关于许多Github网站未显示图像(内容安全政策)的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持!