Ruby on rails webpacker和InjectStylesTostyleTag.js会破坏CSP
在我添加webpacker之前,我的ruby on rails应用程序的CSP工作得非常好。现在我明白了:Ruby on rails webpacker和InjectStylesTostyleTag.js会破坏CSP,ruby-on-rails,content-security-policy,webpacker,Ruby On Rails,Content Security Policy,Webpacker,在我添加webpacker之前,我的ruby on rails应用程序的CSP工作得非常好。现在我明白了: Content Security Policy: The page’s settings observed the loading of a resource at inline (“style-src”). A CSP report is being sent. injectStylesIntoStyleTag.js:117 Content Security Policy: The pa
Content Security Policy: The page’s settings observed the loading of a resource at inline (“style-src”). A CSP report is being sent. injectStylesIntoStyleTag.js:117
Content Security Policy: The page’s settings observed the loading of a resource at inline (“style-src”). A CSP report is being sent. injectStylesIntoStyleTag.js:190
所讨论的代码如下所示:
function insertStyleElement(options) {
var style = document.createElement('style');
...
if (typeof options.insert === 'function') {
options.insert(style);
} else {
var target = getTarget(options.insert || 'head');
if (!target) {
throw new Error("Couldn't find a style target. This probably means that the value for the 'insert' parameter is invalid.");
}
target.appendChild(style); //LINE 117//
}
return style;
}
以及:
如何添加nonce?表示要添加
\uuuu网页\uu nonce\uuuuu='random'
到我的输入文件(在本例中为app/javascript/packs/application.js
),但将该nonce添加到我的csp文件对样式src
冲突没有影响。在本例中,它是这样的:config.style\u src:self,'https://fonts.googleapis.com“,”nonce random“
我不知何故无法在源代码中找到注入的样式,但答案是在Chrome中打开页面(我使用的是Firefox)然后将控制台日志中的sha-256哈希复制到应用程序的CSP中。我不知何故无法在源代码中找到注入的样式,但答案是在Chrome中打开页面(我使用的是Firefox)并将控制台日志中的sha-256哈希复制到应用程序的CSP中
function applyToTag(style, options, obj) {
var css = obj.css;
...
if (style.styleSheet) {
style.styleSheet.cssText = css;
} else {
while (style.firstChild) {
style.removeChild(style.firstChild);
}
style.appendChild(document.createTextNode(css)); //LINE 190//
}
}