时间戳

首页 > 解决方案 > Turbolinks - 拒绝执行内联脚本,因为它违反了以下内容安全政策

ruby-on-rails - Turbolinks - 拒绝执行内联脚本,因为它违反了以下内容安全政策

问题描述

我正在使用“Turbolinks 5.1.0”。

文件:宝石文件

gem 'turbolinks', '~> 5.1'

文件:应用程序布局头

<%= javascript_include_tag "application", nonce: true %>

文件:config/initializers/content_security_policy.rb

Rails.application.config.content_security_policy_nonce_generator = -> 请求 { SecureRandom.base64(16) }

谷歌浏览器控制台错误

VM32 application-ae291f799496478302742f713e72f20a7958b7077387b87e18ab98c51ec979c4.js:243

[仅报告] 拒绝执行内联脚本,因为它违反了以下内容安全策略指令:“script-src 'self' https: 'unsafe-inline' 'nonce-UiVx2CiP0HHN9jOOSEG43g=='”。请注意,如果源列表中存在散列值或随机数值,则忽略“不安全内联”。

n.assignNewBody @ VM32 application-ae291f799496478302742f713e72f20a7958b7077387b87e18ab98c51ec979c4.js:243
n.replaceBody @ VM32 application-ae291f799496478302742f713e72f20a7958b7077387b87e18ab98c51ec979c4.js:243
(anonymous) @ VM32 application-ae291f799496478302742f713e72f20a7958b7077387b87e18ab98c51ec979c4.js:243
t.renderView @ VM32 application-ae291f799496478302742f713e72f20a7958b7077387b87e18ab98c51ec979c4.js:243
n.render @ VM32 application-ae291f799496478302742f713e72f20a7958b7077387b87e18ab98c51ec979c4.js:243
t.render @ VM32 application-ae291f799496478302742f713e72f20a7958b7077387b87e18ab98c51ec979c4.js:243
e.renderSnapshot @ VM32 application-ae291f799496478302742f713e72f20a7958b7077387b87e18ab98c51ec979c4.js:243
e.render @ VM32 application-ae291f799496478302742f713e72f20a7958b7077387b87e18ab98c51ec979c4.js:243
t.render @ VM32 application-ae291f799496478302742f713e72f20a7958b7077387b87e18ab98c51ec979c4.js:243
(anonymous) @ VM32 application-ae291f799496478302742f713e72f20a7958b7077387b87e18ab98c51ec979c4.js:243
(anonymous) @ VM32 application-ae291f799496478302742f713e72f20a7958b7077387b87e18ab98c51ec979c4.js:243

为了解决这个问题,我似乎有两种解决方案,如下所示

1) 使用 data-turbolinks-track: reload

<%= javascript_include_tag "application", 'data-turbolinks-track': :reload, nonce: true %>

或者

2)使用会话存储对turbolink请求重用相同的随机数,这是解决这个问题的正确方法吗?

Rails.application.config.content_security_policy_nonce_generator = -> request do
  # use the same csp nonce for turbolinks requests
  if request.env["HTTP_TURBOLINKS_REFERRER"].present? && request.session["mykey"].present?
    request.session["mykey"]
  else
    request.session["mykey"] = SecureRandom.base64(16)
  end
end

请在这里提出正确的解决方案!

标签: ruby-on-railsruby-on-rails-5content-security-policyturbolinks

解决方案

推荐阅读