2025年02月07日 13:39 阅读量:183
Refused to load the script 'https://wza.rrbay.com/js/wza.min.js?667146c…' because it violates the following Content Security Policy directive: "script-src 'self' 'unsafe-inline' 'unsafe-eval'". Note that 'script-src-elem' was not explicitly set, so 'script-src' is used as a fallback.
has been blocked by CORS policy: No 'Access-Control-Allow-Origin' header is present on the requested resource. If an opaque response serves your needs, set the request's mode to 'no-cors' to fetch the resource with CORS disabled.
Refused to apply inline style because it violates the following Content Security Policy directive: "default-src 'self' wza.rrbay.com". Either the 'unsafe-inline' keyword, a hash ('sha256-0EZqoz+oBhx7gF4nvY2bSqoGyy4zLjNF+SDQXGp/ZrY='), or a nonce ('nonce-...') is required to enable inline execution. Note that hashes do not apply to event handlers, style attributes and javascript: navigations unless the 'unsafe-hashes' keyword is present. Note also that 'style-src' was not explicitly set, so 'default-src' is used as a fallback.
whyx-intro.html:100 Refused to apply inline style because it violates the following Content Security Policy directive: "default-src 'self' wza.rrbay.com". Either the 'unsafe-inline' keyword, a hash ('sha256-BBOGexNnujshehIQ4WlkijzyT1OZDSFMwde8dE1r6DE='), or a nonce ('nonce-...') is required to enable inline execution. Note that hashes do not apply to event handlers, style attributes and javascript: navigations unless the 'unsafe-hashes' keyword is present. Note also that 'style-src' was not explicitly set, so 'default-src' is used as a fallback.
whyx-intro.html:152 Refused to apply inline style because it violates the following Content Security Policy directive: "default-src 'self' wza.rrbay.com". Either the 'unsafe-inline' keyword, a hash ('sha256-Wi3+8jbn12vus9Oq4FOqEUCOpuRG3clBaVvLZZ2b9Fs='), or a nonce ('nonce-...') is required to enable inline execution. Note that hashes do not apply to event handlers, style attributes and javascript: navigations unless the 'unsafe-hashes' keyword is present. Note also that 'style-src' was not explicitly set, so 'default-src' is used as a fallback.
whyx-intro.html:171 Refused to execute inline script because it violates the following Content Security Policy directive: "default-src 'self' wza.rrbay.com". Either the 'unsafe-inline' keyword, a hash ('sha256-daEdpEyAJIa8b2VkCqSKcw8PaExcB6Qro80XNes/sHA='), or a nonce ('nonce-...') is required to enable inline execution. Note also that 'script-src' was not explicitly set, so 'default-src' is used as a fallback.
js-plus.js?v=20224:14 Uncaught EvalError: Refused to evaluate a string as JavaScript because 'unsafe-eval' is not an allowed source of script in the following Content Security Policy directive: "default-src 'self' wza.rrbay.com".
at js-plus.js?v=20224:14:325
(匿名) @ js-plus.js?v=20224:14
whyx-intro.html:1 Refused to load the script 'https://wza.rrbay.com/js/wza.min.js?667146c221c0111398aa4ea7' because it violates the following Content Security Policy directive: "script-src 'self' 'unsafe-inline' 'unsafe-eval'". Note that 'script-src-elem' was not explicitly set, so 'script-src' is used as a fallback.<IfModule mod_headers.c>
# 设置内容安全策略
Header set Content-Security-Policy "default-src 'self'; script-src 'self' https://example.com; style-src 'self' https://fonts.googleapis.com; font-src 'self' https://fonts.gstatic.com"
</IfModule>
<IfModule mod_headers.c>
Header set Content-Security-Policy "default-src 'self' https://wza.rrbay.com; script-src 'self' https://wza.rrbay.com;"
</IfModule>.htaccess 配置
Header set X-Frame-Options SAMEORIGIN
在阿里云虚拟主机,apache环境下, 如何配置内容安全策略(CSP),使网站能够访问域名wza.rrbay.com下所有资源?
在阿里云虚拟主机且使用Apache环境下,你可以通过编辑.htaccess文件来配置内容安全策略(CSP),允许网站访问特定域名(如wza.rrbay.com)下的所有资源。请按照以下步骤操作:
1.登录阿里云虚拟主机管理面板:
使用你的阿里云账号登录到虚拟主机管理界面。
2.编辑.htaccess文件:
通过管理面板的文件管理功能,找到并编辑.htaccess文件。这个文件通常位于你的网站根目录下。
3.添加CSP头部指令:
在.htaccess文件中,使用Header指令来设置CSP头部,允许从wza.rrbay.com加载所有类型的资源。例如:
apache
<IfModule mod_headers.c>
Header set Content-Security-Policy "default-src 'self' wza.rrbay.com 'unsafe-inline' 'unsafe-eval'; "
</IfModule>在这个例子中,Content-Security-Policy头部被设置为允许从当前域名('self')和wza.rrbay.com加载所有类型的资源。default-src指令设置了默认的加载策略,而其他指令(如script-src, style-src, img-src等)则覆盖了默认策略,为特定类型的资源指定了加载策略。
请注意,根据你的网站需求,你可能需要调整这个策略,比如添加更多的源或者更具体的指令。
4.保存并关闭文件:
保存对.htaccess文件的更改。
5.清除缓存并测试:
由于浏览器可能会缓存旧的CSP设置,因此在修改配置后,请确保清除浏览器缓存或使用无痕/隐私模式进行测试。访问你的网站,并使用浏览器的开发者工具来检查响应头,确保CSP头部已经正确设置,并且网站能够正常加载wza.rrbay.com下的资源。
6.监控和调试:
部署CSP后,务必密切监控网站的功能和性能,确保没有因为CSP策略而导致的问题。如果出现资源加载失败或脚本执行错误,你可能需要调整CSP策略以允许必要的资源。