问题
I am getting the following error while setting the content-security-policy using Angular4.
Error:
Refused to connect to 'ws://localhost:4200/sockjs-node/812/lxo2oeas/websocket' because it violates the following Content Security Policy directive: "default-src 'self' 'unsafe-eval'". Note that 'connect-src' was not explicitly set, so 'default-src' is used as a fallback.
Uncaught TypeError: event.data.indexOf is not a function at receiveMessage (out.js:4)
Here is my code:
<!doctype html>
<html lang="en">
<head>
<meta http-equiv="Content-Security-Policy"
content="default-src 'self' 'unsafe-eval';
style-src 'self' 'unsafe-inline';
script-src 'self' http://localhost:4200 'unsafe-inline' 'unsafe-eval';">
<meta charset="utf-8">
<title>Myapp</title>
<base href="/">
<meta name="viewport" content="width=device-width, initial-scale=1">
<link rel="icon" type="image/x-icon" href="favicon.ico">
</head>
<body>
<app-root></app-root>
</body>
</html>
Here I need to set the content-security-policy but getting those error.
回答1:
You need to explicitly indicate that ws: source expressions are allowed.
So either change your meta element to have this:
<meta http-equiv="Content-Security-Policy"
content="default-src 'self' 'unsafe-eval';
style-src 'self' 'unsafe-inline';
script-src 'self' http://localhost:4200 'unsafe-inline' 'unsafe-eval';
connect-src ws:">
…that is, add a connect-src directive with a ws: source expression.
Or else do this:
<meta http-equiv="Content-Security-Policy"
content="default-src 'self' 'unsafe-eval' ws:;
style-src 'self' 'unsafe-inline';
script-src 'self' http://localhost:4200 'unsafe-inline' 'unsafe-eval';">
…that is, add the ws: source expression to your existing default-src directive.
来源:https://stackoverflow.com/questions/49233988/getting-error-while-setting-the-content-security-policy-using-angular4