开启egg-security的CSP如何配置内联script/style的nonce #164
Description
求助:
项目要求开启egg框架egg-security中间件的CSP功能,启用之后框架为‘script-src’生成的nonce如何添加到内联的script标签或style标签上呢。boilerplate有相关的配置吗?或者要自己去实现相关功能?
报错:
Refused to apply a stylesheet because its hash, its nonce, or 'unsafe-inline' does not appear in the style-src directive of the Content Security Policy.
EvalError: Refused to evaluate a string as JavaScript because 'unsafe-eval' is not an allowed source of script in the following Content Security Policy directive: "script-src 'self' 'nonce-rd5JCIzYZu2I6NbB'".
项目中添加的配置样例
exports.security = {
// domainWhiteList,
csp: {
enable: true,
policy: {
'default-src': 'none',
'script-src': 'self',
'style-src': 'self'
}
}
};