"[仅报告]拒绝加载字体"控制台上的错误消息

"[Report Only] Refused to load the font..." error message on console

本文关键字:quot 控制台 错误 消息 字体 拒绝 报告 加载      更新时间:2023-09-26

更具体地说:

[Report Only] Refused to load the font 'data:application/x-font-woff;charset=utf-8;base64,d09GRgABAAAAABBQAAoAAAAAG…H8zVsjnmMx0GcZ2HGViNOySWEa9fvEQtW43Nm+EOO0ZIpdLbMXoVzPJkcfHT6U+gLEpz/MAAAA' because it violates the following Content Security Policy directive: "font-src 'self'".

这是我在environment.js:的contentSecurityPolicy对象

contentSecurityPolicy: {
  'default-src': "'none'",
  'script-src': "'self' 'unsafe-inline' 'unsafe-eval' connect.facebook.net",
  'connect-src': "'self'",
  'img-src': "'self' www.facebook.com",
  'style-src': "'self' 'unsafe-inline'",
  'frame-src': "s-static.ak.facebook.com static.ak.facebook.com www.facebook.com",
  'report-uri': "http://localhost:4200"
},

有什么问题吗?

'font-src': "data:",添加到正在加载的字体的白名单中。

我花了很长时间试图弄清楚为什么我的聚合物代码的构建版本违反了我在firefox和safari中的CSP(在chrome中工作),事实证明,由于聚合物组件包含内联脚本,它们可能会导致CSP问题,而这些问题无法使用"不安全的内联"&'解决firefox和safari的"不安全的eval"标头,但是,如果您的脚本CSP包含data:,这将允许在聚合物构建期间编译的内联脚本在您的web应用程序上运行,而不会违反CSP。我想我会在这里分享,因为这个答案帮助我解决了我的问题。

您可能需要考虑使用coma','来定义您的异常:

这是网站上发布的示例:https://github.com/helmetjs/csp

const csp = require('helmet-csp')
app.use(csp({
  // Specify directives as normal.
  directives: {
    defaultSrc: ["'self'", 'default.com'],
    scriptSrc: ["'self'", "'unsafe-inline'"],
    styleSrc: ['style.com'],
    fontSrc: ["'self'", 'fonts.com'],
    imgSrc: ['img.com', 'data:'],
    sandbox: ['allow-forms', 'allow-scripts'],
    reportUri: '/report-violation',
    objectSrc: ["'none'"],
    upgradeInsecureRequests: true,
    workerSrc: false  // This is not set.
  },
  // This module will detect common mistakes in your directives and throw errors
  // if it finds any. To disable this, enable "loose mode".
  loose: false,
  // Set to true if you only want browsers to report errors, not block them.
  // You may also set this to a function(req, res) in order to decide dynamically
  // whether to use reportOnly mode, e.g., to allow for a dynamic kill switch.
  reportOnly: false,
  // Set to true if you want to blindly set all headers: Content-Security-Policy,
  // X-WebKit-CSP, and X-Content-Security-Policy.
  setAllHeaders: false,
  // Set to true if you want to disable CSP on Android where it can be buggy.
  disableAndroid: false,
  // Set to false if you want to completely disable any user-agent sniffing.
  // This may make the headers less compatible but it will be much faster.
  // This defaults to `true`.
  browserSniff: true
}))
相关文章: