Amazon s3 上传到S3后CSP阻止fineuploader缩略图
我的内容安全策略有问题,该策略由包处理 将文件成功上载到S3服务器后,插件会尝试加载缩略图,并发送如下请求:Amazon s3 上传到S3后CSP阻止fineuploader缩略图,amazon-s3,http-headers,blob,fine-uploader,content-security-policy,Amazon S3,Http Headers,Blob,Fine Uploader,Content Security Policy,我的内容安全策略有问题,该策略由包处理 将文件成功上载到S3服务器后,插件会尝试加载缩略图,并发送如下请求: blob:http://b2b.local/085a1b81-0513-47a8-a334-fbc4eca4b365 my CSP正在阻止此请求,这将阻止在控制台中显示缩略图和以下消息: 拒绝加载图像 因为 它违反了以下内容安全策略指令:“img src “自我”http://www.google-analytics.com 数据:“ 我的CSP配置如下所示: <?php $pro
blob:http://b2b.local/085a1b81-0513-47a8-a334-fbc4eca4b365<?php
$protocol = 'https://';
if (! isset($_SERVER['HTTPS']) || $_SERVER['HTTPS'] == 'off') {
$protocol = 'http://';
}
return [
'x-content-type-options' => 'nosniff',
'x-download-options' => 'noopen',
'x-frame-options' => 'sameorigin',
'x-permitted-cross-domain-policies' => 'none',
'x-xss-protection' => '1; mode=block',
'referrer-policy' => 'unsafe-url',
'hsts' => [
'enable' => env('SECURITY_HEADER_HSTS_ENABLE', false),
'max-age' => 31536000,
'include-sub-domains' => true,
],
'hpkp' => [
'hashes' => false,
'include-sub-domains' => false,
'max-age' => 15552000,
'report-only' => false,
'report-uri' => null,
],
'custom-csp' => env('SECURITY_HEADER_CUSTOM_CSP', null),
'csp' => [
'report-only' => false,
'report-uri' => env('CONTENT_SECURITY_POLICY_REPORT_URI', false),
'upgrade-insecure-requests' => false,
'default-src' => [
'allow' => [
'player.vimeo.com',
],
'self' => true,
],
'script-src' => [
'allow' => [
$protocol.'ajax.googleapis.com',
$protocol.'code.jquery.com',
$protocol.'www.googletagmanager.com',
$protocol.'www.google-analytics.com',
$protocol.'www.google.com',
$protocol.'www.gstatic.com',
$protocol.'sachinchoolur.github.io',
$protocol.'cdnjs.cloudflare.com',
$protocol.'*.addthis.com',
$protocol.'*.addthisedge.com',
$protocol.'*.facebook.com',
],
'self' => true,
'unsafe-inline' => true,
'unsafe-eval' => true,
'data' => true,
],
'frame-src' => [
'allow' => [
'player.vimeo.com',
$protocol.'www.google.com',
$protocol.'*.addthis.com',
$protocol.'*.addthisedge.com',
]
],
'style-src' => [
'allow' => [
$protocol.'fonts.googleapis.com',
$protocol.'sachinchoolur.github.io',
$protocol.'code.jquery.com',
$protocol.'*.addthis.com',
$protocol.'*.addthisedge.com',
],
'self' => true,
'unsafe-inline' => true,
],
'img-src' => [
'allow' => [
$protocol.'*.google-analytics.com',
$protocol.'businessmarketplace.s3.amazonaws.com',
$protocol.'placehold.it',
$protocol.'mediaweek.com.au',
],
'self' => true,
'data' => true,
'blob' => true,
],
'font-src' => [
'allow' => [
$protocol.'fonts.gstatic.com',
],
'self' => true,
'data' => true,
],
'object-src' => [
'allow' => [],
'self' => true,
],
],
];
在与我的团队测试了不同的配置后,我们发现您可以使用允许数组来指定诸如'self'
或blob:
等指令,因此我们将img src
指令设置为:
'img-src' => [
'allow' => [
"'self'", 'blob:',
$protocol.'*.google-analytics.com',
$protocol.'businessmarketplace.s3.amazonaws.com',
$protocol.'placehold.it',
$protocol.'mediaweek.com.au',
],
],
现在,该策略允许像blob这样的请求:http://b2b.local/hash