nginx 内容安全策略框架祖先

qxsslcnc  于 2023-05-06  发布在  Nginx
关注(0)|答案(1)|浏览(359)

我们正试图从www.example.com在我们的网站上嵌入一个外部小部件pledge.to。我们在NGINX中使用这个指令代码:

add_header Content-Security-Policy "default-src 'self' https: data: 'unsafe-inline' 'unsafe-eval' frame-ancestors 'self' 'pledge.to';" always;

但我们在控制台中收到错误消息:

The Content-Security-Policy directive 'default-src' contains 'frame-ancestors' as a source expression. Did you want to add it as a directive and forget a semicolon?

这怎么就错了呢?

cyvaqqii

cyvaqqii1#

你有两个指令,default-src和frame-ancestors,它们需要用分号分隔,如下所示:

add_header Content-Security-Policy "default-src 'self' https: data: 'unsafe-inline' 'unsafe-eval'; frame-ancestors 'self' 'pledge.to';" always;

相关问题