求救!umi4 + antd pro过csp策略 #12254
Replies: 3 comments 4 replies
-
|
实在是没找到umi哪里能加nonce...希望大家救救孩子... |
Beta Was this translation helpful? Give feedback.
-
|
或者说大佬们有什么更好的办法能过csp吗,不尽感激! |
Beta Was this translation helpful? Give feedback.
-
|
你这不是在加载本地开发的 js 吗,你在开发的时候肯定有代理域名吧,在代理的时候修改下响应头就可以了。 或者在项目根目录创建一个项目级插件 // plugin.ts
import { IApi } from 'umi'
export default (api: IApi) => {
api.onBeforeMiddleware(({ app }) => {
app.use((req, res, next) => {
// res.setHeader('Cross-Origin-Embedder-Policy', 'require-corp')
next()
})
})这里面任意改开发服务器的 express 。 |
Beta Was this translation helpful? Give feedback.
-
|
大佬不好意思可能我没描述清楚我的问题...就是不管是开发环境还是build出来的环境我的head头里加载antdesign的style标签都会被认定成内联样式,我在控制台报错的位置打断点给style标签的attribute加了nonce之后就不会报错了,这个是azure服务器的csp扫描出来的漏洞,而我不能用unsafe-inline,所以我想不知道有没有方法能给head中的style加上nonce值,希望您能解答一下谢谢。 |
Beta Was this translation helpful? Give feedback.
-
|
我模拟开启csp是手动的写了meta开启的,图里也有哒 |
Beta Was this translation helpful? Give feedback.
-
|
如果你是说的 antd 插入的 style 标签的话,这个是因为 antd 5 使用是 css in js 的样式方案,不是 css 文件,如果你要用 antd 5 ,就肯定要有 style 标签插入样式。 如果要用 antd 5 ,就考虑放开 csp 限制,否则就回退到 antd 4 ,另外现在很多组件库使用的都是 css in js 方案,这也是要注意的一个点。 |
Beta Was this translation helpful? Give feedback.
-
|
antd ConfigProvider组件支持注入nonce |
Beta Was this translation helpful? Give feedback.
Uh oh!
There was an error while loading. Please reload this page.
-
如题,现在我开启的csp策略只包含了self,公司不允许用unsafe-inline,于是就想到了加nonce,但是操作了好久好久还是没能成功给style和script加上nonce,大佬们有什么好办法吗~
mf-dep____vendor.5aaccf88.js:290797 Refused to apply inline style because it violates the following Content Security Policy directive: "default-src 'self' 'nonce-c29tZSBjb29sIHN0cmluZyB3aWxsIHBvcCB1cCAxMjM='". Either the 'unsafe-inline' keyword, a hash ('sha256-47DEQpj8HBSa+/TImW+5JCeuQeRkm5NMpJWZG3hSuFU='), or a nonce ('nonce-...') is required to enable inline execution. Note also that 'style-src' was not explicitly set, so 'default-src' is used as a fallback.
Beta Was this translation helpful? Give feedback.
All reactions