Header 配置 Content-Security-Policy,html 不生效
haovei opened this issue · 3 comments
haovei commented
拦截配置
resHeaders://{safe-res-headers}
safe-res-headers
X-Content-Type-Options: nosniff
X-XSS-Protection: 1; mode=block
Content-Security-Policy: default-src 'self'
Strict-Transport-Security: max-age=31536000; includeSubDomains
Referrer-Policy: same-origin
X-Permitted-Cross-Domain-Policies: master-only
X-Download-Options: noopen
X-Frame-Options: SAMEORIGIN
其他配置在response 的 header 都有,唯独 Content-Security-Policy 没有。
请问是什么原因导致?
haovei commented
其他请求 header 都会带 Content-Security-Policy。只有 html 没带
avwo commented
因为页面会注入小圆点,所以会自动删除 csp 头,要在管理后台的 Whistle 配置规则 pattern enable://keepCSP
试试
haovei commented
配置 enable://keepCSP
解决了