我有一个新鲜的ember-cli v.0.1.2
应用。我在虚拟框中提供 ember,并通过仅主机配置的网络适配器从主机访问网页,地址为192.168.56.102
.
当我跑步时ember serve
从虚拟盒子中访问192.168.56.102
从主机,我在控制台上收到以下错误:
[Report Only] Refused to load the script 'http://192.168.56.102:35729/livereload.js?snipver=1' because it violates the following Content Security Policy directive: "script-src 'self' 'unsafe-eval' localhost:35729 0.0.0.0:35729".
ember-cli-live-reload.js:5 (anonymous function)
livereload.js?snipver=1:193 [Report Only] Refused to connect to 'ws://192.168.56.102:35729/livereload' because it violates the following Content Security Policy directive: "connect-src 'self' ws://localhost:35729 ws://0.0.0.0:35729".
我尝试了各种配置ember-cli-内容安全策略 https://github.com/rwjblue/ember-cli-content-security-policy没有运气:
contentSecurityPolicy: {
'default-src': "'none'",
'script-src': "'self'",
'font-src': "'self'",
'connect-src': "'self'",
'img-src': "'self'",
'style-src': "'self'",
'media-src': "'self'"
}
如何解决虚拟盒子开发的这些错误?
Edit:
所以根据这个解决方案:EmberCsp教程 https://www.justinbull.ca/private/csp/,以及博客文章:https://blog.justinbull.ca/how-to-configure-csp-in-your-ember-cli-app/ https://blog.justinbull.ca/how-to-configure-csp-in-your-ember-cli-app/
此配置修复了错误:
ENV.contentSecurityPolicy = {
'default-src': "'none'",
'script-src': "'self' 'unsafe-eval' 192.168.56.102:35729",
'font-src': "'self'",
'connect-src': "'self' ws://192.168.56.102:35729",
'img-src': "'self'",
'style-src': "'self'",
'media-src': "'self'"
};
还有 30 分钟的视频解释了这一切,但是我必须使用一些可能会像这样改变的硬编码 IP,可以接受全面的解释作为答案吗?
如何启用 CSPdata:application/font*
我已经包含了一些字体,现在出现这些错误,抑制这些错误的 CSP 配置是什么:
[Report Only] Refused to load the font 'data:application/font-woff;charset=utf-8;base64,d09GRk9UVE8AAAVwAAoAAAAABSg…IAeQAgAEkAYwBvAE0AbwBvAG4ALgAAAAADAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA' because it violates the following Content Security Policy directive: "font-src 'self' data:application/* http://fonts.gstatic.com".
192.168.56.102/:1 [Report Only] Refused to load the font 'data:application/x-font-ttf;charset=utf-8;base64,AAEAAAALAIAAAwAwT1MvMggjCB…BiAHkAIABJAGMAbwBNAG8AbwBuAC4AAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==' because it violates the following Content Security Policy directive: "font-src 'self' data:application/* http://fonts.gstatic.com".
根据参考 http://content-security-policy.com/#source_list这有效:
ENV.contentSecurityPolicy = {
'default-src': "'none'",
'script-src': "'self' 'unsafe-eval' 192.168.56.102:35729",
'font-src': "'self' data: http://fonts.gstatic.com",
'connect-src': "'self' ws://192.168.56.102:35729",
'img-src': "'self'",
'style-src': "'self' fonts.googleapis.com",
'media-src': "'self'"
};