search

Home  >  Q&A  >  body text

How to fix CSP errors? "Execution of the inline event handler is denied because it violates the following Content Security Policy directive..."

<p>我在 script-src 中添加随机数值时收到 CSP 错误。 这是我正在设置的 CSP - 内容安全策略:默认 src '无'; script-src 'self' '不安全评估' 'nonce-b1967a39a02f45edbac95cbb4651bd12' '不安全哈希'; frame-src 'self' 'nonce-b1967a39a02f45edbac95cbb4651bd12' '不安全哈希';连接-src'自我'; img-src“自身”数据:; style-src 'self' '不安全内联';对象-src'自我'; font-src'自身'数据:;</code></p> <p>我的JS文件内容是-</p> <pre class="brush:php;toolbar:false;"><html dir=&quot;ltr&quot;> <head> <meta http-equiv=&quot;Content-Type&quot; content=&quot;text/html; charset=utf-8&quot; /> <title> WebHelp Navigation Toolbar </title> <style> <!-- body {margin:0;} --> </style> <script nonce='b1967a39a02f45edbac95cbb4651bd12' src=&quot;whver.js&quot; charset=&quot;utf-8&quot;></script> <script nonce='b1967a39a02f45edbac95cbb4651bd12' src=&quot;whutils.js&quot; charset=&quot;utf-8&quot;></script> <script nonce='b1967a39a02f45edbac95cbb4651bd12' src=&quot;whmsg.js&quot; charset=&quot;utf-8&quot;></script> <script nonce='b1967a39a02f45edbac95cbb4651bd12' src=&quot;whproxy.js&quot; charset=&quot;utf-8&quot;></script> <script nonce='b1967a39a02f45edbac95cbb4651bd12' src=&quot;whmozemu.js&quot; charset=&quot;utf-8&quot;></script> <script nonce='b1967a39a02f45edbac95cbb4651bd12' src=&quot;whtbar.js&quot; charset=&quot;utf-8&quot;></script> <script nonce='b1967a39a02f45edbac95cbb4651bd12' type=&quot;text/javascript&quot; language=&quot;JavaScript1.2&quot;> //<![CDATA[ function printTopic() { var topicPane; if (top.frames[0].name == &quot;ContentFrame&quot;) topicPane = top.frames[0].frames[1].frames[1]; else topicPane = top.frames[1].frames[1]; topicPane.focus(); var msg = new whMessage(WH_MSG_PRINT, 0, 0); notify(msg); } //]]> </script> </head> <body marginheight=&quot;0&quot; marginwidth=&quot;0&quot; bgcolor=&quot;#363f48&quot; background=&quot;background.png&quot; scroll=&quot;no&quot;> <script nonce='b1967a39a02f45edbac95cbb4651bd12' language=&quot;javascript1.2&quot;> <!-- if (window.gbWhTBar) { setButtonFont(&quot;toc&quot;,&quot;Arial&quot;,&quot;11pt&quot;,&quot;#a7abaf&quot;,&quot;Normal&quot;,&quot;Normal&quot;,&quot;none&quot;); setButtonFont(&quot;toc&quot;,&quot;Arial&quot;,&quot;11pt&quot;,&quot;White&quot;,&quot;Normal&quot;,&quot;Normal&quot;,&quot;none&quot;, true); setButtonFont(&quot;idx&quot;,&quot;Arial&quot;,&quot;11pt&quot;,&quot;#a7abaf&quot;,&quot;Normal&quot;,&quot;Normal&quot;,&quot;none&quot;); setButtonFont(&quot;idx&quot;,&quot;Arial&quot;,&quot;11pt&quot;,&quot;White&quot;,&quot;Normal&quot;,&quot;Normal&quot;,&quot;none&quot;, true); setButtonFont(&quot;fts&quot;,&quot;Arial&quot;,&quot;11pt&quot;,&quot;#a7abaf&quot;,&quot;Normal&quot;,&quot;Normal&quot;,&quot;none&quot;); setButtonFont(&quot;fts&quot;,&quot;Arial&quot;,&quot;11pt&quot;,&quot;White&quot;,&quot;Normal&quot;,&quot;Normal&quot;,&quot;none&quot;, true); setButtonFont(&quot;glo&quot;,&quot;Arial&quot;,&quot;11pt&quot;,&quot;#a7abaf&quot;,&quot;Normal&quot;,&quot;Normal&quot;,&quot;none&quot;); setButtonFont(&quot;glo&quot;,&quot;Arial&quot;,&quot;11pt&quot;,&quot;White&quot;,&quot;Normal&quot;,&quot;Normal&quot;,&quot;none&quot;, true); setButtonFont(&quot;searchform&quot;,&quot;Arial&quot;,&quot;11pt&quot;,&quot;#a7abaf&quot;,&quot;Normal&quot;,&quot;Normal&quot;,&quot;none&quot;); setButtonFont(&quot;searchform&quot;,&quot;&quot;,&quot;&quot;,&quot;&quot;,&quot;&quot;,&quot;&quot;,&quot;&quot;, true); setButtonFont(&quot;banner&quot;,&quot;&quot;,&quot;&quot;,&quot;&quot;,&quot;&quot;,&quot;&quot;,&quot;&quot;); setButtonFont(&quot;banner&quot;,&quot;&quot;,&quot;&quot;,&quot;&quot;,&quot;&quot;,&quot;&quot;,&quot;&quot;, true); setButtonFont(&quot;custom15160&quot;,&quot;Arial&quot;,&quot;11pt&quot;,&quot;#a7abaf&quot;,&quot;Normal&quot;,&quot;Normal&quot;,&quot;none&quot;); setButtonFont(&quot;custom15160&quot;,&quot;Arial&quot;,&quot;11pt&quot;,&quot;White&quot;,&quot;Normal&quot;,&quot;Normal&quot;,&quot;none&quot;, true); gsIToc = &quot;wht_toc_n.gif&quot;; gsITocS = &quot;wht_toc_h.gif&quot;; gsIIndex = &quot;wht_idx_n.gif&quot;; gsIIndexS = &quot;wht_idx_h.gif&quot;; gsISearch = &quot;wht_fts_n.gif&quot;; gsISearchS = &quot;wht_fts_h.gif&quot;; gsIGlossary = &quot;wht_glo_n.gif&quot;; gsIGlossaryS = &quot;wht_glo_h.gif&quot;; gsIWebSearch = &quot;wht_ws.gif&quot;; gsIWebSearchD = &quot;wht_ws_g.gif&quot;; gsIBanner = &quot;wht_logo1.gif&quot;; gsIGo = &quot;wht_go.gif&quot;; setBackgroundcolor(&quot;#363f48&quot;); setBackground(&quot;background.png&quot;); setAlignment(&quot;left&quot;); setGoImage(&quot;search-input-go.png&quot;); if (!gsBgImage) { setButtonBgColor(&quot;toc&quot;, gsBgColor); setButtonBgColor(&quot;idx&quot;, gsBgColor); setButtonBgColor(&quot;fts&quot;, gsBgColor); setButtonBgColor(&quot;glo&quot;, gsBgColor); setButtonBgColor(&quot;toc&quot;, gsTBSelectedBgColor, true); setButtonBgColor(&quot;idx&quot;, gsTBSelectedBgColor, true); setButtonBgColor(&quot;fts&quot;, gsTBSelectedBgColor, true); setButtonBgColor(&quot;glo&quot;, gsTBSelectedBgColor, true); setButtonBgColor(&quot;toc&quot;,&quot;#363f48&quot;); setButtonBgColor(&quot;idx&quot;,&quot;#363f48&quot;); setButtonBgColor(&quot;fts&quot;,&quot;#363f48&quot;); setButtonBgColor(&quot;glo&quot;,&quot;#363f48&quot;); setButtonBgColor(&quot;searchform&quot;,&quot;&quot;); setButtonBgColor(&quot;banner&quot;,&quot;&quot;); setButtonBgColor(&quot;custom15160&quot;,&quot;#363f48&quot;); } setButtonBgColor(&quot;toc&quot;,&quot;#363f48&quot;, true); setButtonBgColor(&quot;idx&quot;,&quot;#363f48&quot;, true); setButtonBgColor(&quot;fts&quot;,&quot;#363f48&quot;, true); setButtonBgColor(&quot;glo&quot;,&quot;#363f48&quot;, true); setButtonBgColor(&quot;searchform&quot;,&quot;&quot;, true); setButtonBgColor(&quot;banner&quot;,&quot;&quot;, true); setButtonBgColor(&quot;custom15160&quot;,&quot;#363f48&quot;, true); addButton(&quot;toc&quot;,BTN_TEXT|BTN_IMG,&quot;Contents&quot;,&quot;&quot;,&quot;&quot;,&quot;&quot;,&quot;&quot;,0,0,&quot;contents-unselected.png&quot;,&quot;contents-selected.png&quot;,&quot;&quot;,&quot;contents-selected.png&quot;,&quot;&quot;,&quot;&quot;); addButton(&quot;fts&quot;,BTN_TEXT|BTN_IMG,&quot;Search&quot;,&quot;&quot;,&quot;&quot;,&quot;&quot;,&quot;&quot;,0,0,&quot;search-unselected.png&quot;,&quot;search-selected.png&quot;,&quot;&quot;,&quot;search-selected.png&quot;,&quot;&quot;,&quot;&quot;); addButton(&quot;searchform&quot;,BTN_TEXT,&quot;&quot;,&quot;&quot;,&quot;&quot;,&quot;&quot;,&quot;&quot;,0,0,&quot;&quot;,&quot;&quot;,&quot;&quot;,&quot;&quot;,&quot;&quot;,&quot;&quot;); addButton(&quot;custom15160&quot;,BTN_TEXT|BTN_IMG,&quot;Print&quot;,&quot;&quot;,&quot;printTopic();&quot;,&quot;&quot;,&quot;&quot;,0,0,&quot;print-unselected.png&quot;,&quot;print-selected.png&quot;,&quot;&quot;,&quot;print-selected.png&quot;,&quot;&quot;,&quot;&quot;); addButton(&quot;blankblock&quot;); writeStyle(false); ReSortToolbarButtons(); } else document.location.reload(); //--> </script> </body></pre> <p>从 script-src 中删除“unsafe-inline”并添加“nonce-b1967a39a02f45edbac95cbb4651bd12”后,我收到此错误。在这个问题上纠结了好久。需要一些指导。提前致谢。</p>
P粉781235689P粉781235689453 days ago834

reply all(1)I'll reply

  • P粉237647645

    P粉2376476452023-08-31 10:12:08

    The error message indicates that you have an inline event handler, which means you have an onclick, onblur, onchange, etc. attribute somewhere. The error message may contain links to the actual code.

    To allow inline event handlers you need to use one of these

    • "unsafe-hashes" and hashes of code
    • 'Unsafe inlining'

    However, if you are able to rewrite the code, your best option is to use an event listener.

    The property is not nonceable, so your nonce method does not work with this code.

    reply
    0
  • Cancelreply