Allowing certain scripts to set inline styles

StackOverflow https://stackoverflow.com/questions/14760874

문제

I'm securing my page using a csp headers. I set both X-Content-Security-Policy and X-Webkit-CSP. to the following value:

default-src 'self';
object-src 'none';
frame-src 'self' *.youtube.com;
style-src 'self' https://ajax.googleapis.com;
script-src 'self' https://ajax.googleapis.com;
report-uri /csp_report

Everything loads fine, but I get tHe following error in chrome. I have yet to test it in other browsers.

Refused to apply inline style because it violates the following Content 
Security Policy directive: "style-src 'self' https://ajax.googleapis.com".

referring to a line in a script on the current domain, that's trying to insert some HTML containing inline styles. Is there a way to allow scripts that I have whitelisted usin script-src to do this? I'm getting the same error for jquery, hosted on ajax.googleapis.com.

도움이 되었습니까?

해결책

I overlooked 'unsafe-inline'. Resources that I allowed to load can use inline styles by doing this:

style-src 'unsafe-inline'
라이센스 : CC-BY-SA ~와 함께 속성
제휴하지 않습니다 StackOverflow
scroll top