问题描述
我有一个正在运行的Aurelia SPA网络应用程序,但是如果我在web.config中进行设置,则Content-Security-Policy选项是这样的
I have a working Aurelia SPA web app, but if I set in my web.config the Content-Security-Policy option like this
<add name="X-Content-Security-Policy" value="default-src 'none'; frame-src 'self'; script-src 'self' https://code.jquery.com; connect-src 'self' https://*.core.windows.net; img-src 'self' data:; style-src 'self' https://fonts.googleapis.com 'unsafe-inline'; font-src https://fonts.gstatic.com 'self';"></add>
页面加载时出现此错误
Uncaught (in promise) Error: (SystemJS) Refused to evaluate a string as JavaScript because 'unsafe-eval' is not an allowed source of script in the following Content Security Policy directive: "script-src 'self' https://code.jquery.com".
我现在使用非捆绑版本加载页面,并且得到的错误是
I loaded the page now using the unbundled version and the error I get is
EvalError: Refused to evaluate a string as JavaScript because 'unsafe-eval' is not an allowed source of script in the following Content Security Policy directive: "script-src 'unsafe-inline' 'self' https://code.jquery.com".
Evaluating https://localhost/jspm_packages/npm/[email protected]
Error loading https://localhost/jspm_packages/npm/[email protected]
同时,我将进一步研究SystemJS模块加载器.
in the meantime I will investigate the SystemJS module loader further.
更新
该错误确实发生在SystemJS模块加载器中,因为在system.src.js中,它使用eval(加上几个新函数"定义,但是我没有这些代码行.然后我的问题是:除了关闭Content-Security-Policy(或允许"unsafe-eval")之外,没有其他方法可以解决此问题?
The error happens indeed in the SystemJS module loader, because in system.src.js it uses eval (plus a couple of 'new Function' definitions, but I don't come tho those lines of code.My question would then be: is there no way to work around this other than switching off the Content-Security-Policy (or allowing 'unsafe-eval')?
推荐答案
Aurelia完全支持内容安全策略.与 Aurelia文档:
Aurelia fully supports Content Security Policy. If you are using SystemJS, you need to do the following changes to your index.html, compared to the getting started sample found in the Aurelia documentation:
使用兼容CSP的生产构建 SystemJS:
Use the CSP compatible production build of SystemJS:
<script src="scripts/system-csp-production.js"></script>
请注意,使用SystemJS的CSP版本,您可以仅运行捆绑包,否则它将不起作用.您可能只想在生产中使用上面的行.
Note that using the CSP version of SystemJS, you can only run bundled or it will not work. You probably want to use the line above in production only.
使用以下内容创建文件bootstrap.js:
Create a file bootstrap.js with the following contents:
System.import("aurelia-bootstrapper");
,并将index.html中相同的内联调用替换为以下行:
and replace the same, inlined call in index.html with the following line:
<script src="scripts/bootstrap.js"></script>
此处与Aurelia项目有关.
Here is a relevant issue on the Aurelia project.
这篇关于没有eval(),无法启动Aurelia应用的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持!