在ember-cli 0.0.47升级后违反内容安全策略指令
我将我的ember-cli应用程序升级到0.0.47,现在我的浏览器控制台中出现了一些与内容安全策略相关的错误。 我该如何解决这个问题?
Refused to load the script 'http://use.typekit.net/abcdef.js' because it violates the following Content Security Policy directive: "script-src 'self' 'unsafe-eval' localhost:35729". login:1 Refused to execute inline script because it violates the following Content Security Policy directive: "script-src 'self' 'unsafe-eval' localhost:35729". Either the 'unsafe-inline' keyword, a hash ('sha256-...'), or a nonce ('nonce-...') is required to enable inline execution. login:20 Refused to load the script 'http://connect.facebook.net/en_US/all.js' because it violates the following Content Security Policy directive: "script-src 'self' 'unsafe-eval' localhost:35729". login:1 Refused to load the script 'http://maps.googleapis.com/maps/api/js?libraries=places' because it violates the following Content Security Policy directive: "script-src 'self' 'unsafe-eval' localhost:35729". 以下是我的app / index.html文件中的行:
<script type="text/javascript" src="//use.typekit.net/abcdef.js"></script> <script type="text/javascript">try{Typekit.load();}catch(e){}</script> <script src="http://connect.facebook.net/en_US/all.js"></script> <script type="text/javascript" src="http://maps.googleapis.com/maps/api/js?libraries=places"></script>
在阅读http://content-security-policy.com/和https://github.com/rwjblue/ember-cli-content-security-policy的文档后,我在config / environment.js文件中添加了一些策略像这样:
module.exports = function(environment) { var ENV = { contentSecurityPolicy: { 'default-src': "'none'", 'script-src': "'self' 'unsafe-inline' 'unsafe-eval' use.typekit.net connect.facebook.net maps.googleapis.com maps.gstatic.com", 'font-src': "'self' data: use.typekit.net", 'connect-src': "'self'", 'img-src': "'self' www.facebook.com p.typekit.net", 'style-src': "'self' 'unsafe-inline' use.typekit.net", 'frame-src': "s-static.ak.facebook.com static.ak.facebook.com www.facebook.com" }, // ... };
这让所有直接的错误消失了,但是一旦我开始浏览我的应用程序,就会出现与S3媒体源相关的新错误。
我确信这适用于不包含任何外部资源的应用程序,但是我决定从我的package.json文件中删除“”ember-cli-content-security-policy“。
链接到谷歌的字体时,我不得不使用这个:
<link rel='stylesheet' href='http://fonts.googleapis.com/css?family=Lato:400,700,900'>
在我使用的config/environment.js文件中
contentSecurityPolicy: { 'font-src': "'self' data: fonts.gstatic.com", 'style-src': "'self' 'unsafe-inline' fonts.googleapis.com" },
