Styles imported through angular.json blocked by Content-Security-Policy script-src: self

huangapple go评论74阅读模式
英文:

Styles imported through angular.json blocked by Content-Security-Policy script-src: self

问题

通过angular.json文件的styles数组导入了一些CSS和SCSS文件,最终在<body>下添加了以下代码:

<link rel="stylesheet" href="styles.44408b7ba7c0e916.css" media="all" onload="this.media='all'">

我使用了content-security-policy: object-src 'none'; script-src 'self';,这阻止了上面的<link>加载,因此应用程序无法正常工作。错误信息如下:

拒绝执行内联事件处理程序,因为它违反了以下内容安全策略指令:"script-src 'self'"。要启用内联执行,需要使用"unsafe-inline"关键字、散列('sha256-...')或nonce('nonce-...')。请注意,散列不适用于事件处理程序、样式属性和javascript导航,除非存在"unsafe-hashes"关键字。

我注意到将'unsafe-inline'添加到CSP中将解决问题,但我不能采用这种不安全的解决方案。

请建议我其他不会威胁安全性的解决方案。

此外,请解释一下为什么CSS会被script-src策略阻止。

英文:

I have imported couple of css and scss files through angular.json styles array, this eventually added

&lt;link rel=&quot;stylesheet&quot; href=&quot;styles.44408b7ba7c0e916.css&quot; media=&quot;all&quot; onload=&quot;this.media=&#39;all&#39;&quot;&gt;

under &lt;body&gt;. I have content-security-policy: object-src &#39;none&#39;; script-src &#39;self&#39;, which is blocking the above &lt;link&gt; from loading and hence application not working. The error is as below,

> Refused to execute inline event handler because it violates the following Content Security Policy directive: "script-src 'self'". Either the 'unsafe-inline' keyword, a hash ('sha256-...'), or a nonce ('nonce-...') is required to enable inline execution. Note that hashes do not apply to event handlers, style attributes and javascript: navigations unless the 'unsafe-hashes' keyword is present.

angular.json

Styles imported through angular.json blocked by Content-Security-Policy script-src: self

link tag

Styles imported through angular.json blocked by Content-Security-Policy script-src: self

error in console

Styles imported through angular.json blocked by Content-Security-Policy script-src: self

I see adding 'unsafe-inline' to CSP will solve the problem but I cannot go with this solution as this is unsafe.

Please suggest me any other solution which is not a threat to security.

Also please throw some light on why css is being blocked by script-src policy.

答案1

得分: 1

这个帮助解决了我的问题,

找到了如何禁用内联关键样式
https://angular.io/guide/workspace-config#styles-optimization

在 angular.json 中的构建配置中,将

"optimization": true

替换为

"optimization": {
"scripts": true,
"styles": {
"minify": true,
"inlineCritical": false
},
"fonts": true
},

英文:

This one helped to resolve my issue,

Found how to disable the inlineCritical styles
https://angular.io/guide/workspace-config#styles-optimization-options

In angular.json in the build configuration Instead of

&quot;optimization&quot;: true

Replace with

&quot;optimization&quot;: {
  &quot;scripts&quot;: true,
  &quot;styles&quot;: {
    &quot;minify&quot;: true,
    &quot;inlineCritical&quot;: false
  },
  &quot;fonts&quot;: true
},

答案2

得分: 0

错误提示说它拒绝执行内联事件处理程序,它将位于您的标签末尾的"onload="this.media='all'""。您应该将其重写为白名单脚本中的事件监听器。

英文:

The error says it refused to execute the inline event handler, which would be onload="this.media='all'" at the end of your tag. You should rewrite this as an event listener in an allowlisted script.

huangapple
  • 本文由 发表于 2023年2月16日 13:26:25
  • 转载请务必保留本文链接:https://go.coder-hub.com/75468174.html
匿名

发表评论

匿名网友

:?: :razz: :sad: :evil: :!: :smile: :oops: :grin: :eek: :shock: :???: :cool: :lol: :mad: :twisted: :roll: :wink: :idea: :arrow: :neutral: :cry: :mrgreen:

确定