我刚刚开始在Chrome上嵌入我的youtube视频(86.0.4240.193-最近更新,这可能就是我刚刚看到此内容的原因)开始看到这些-这些仅是报告",因此这些视频仍然显示100张错误是不对的!这就是我所看到的:
I've just started seeing this with my embedded youtube videos on Chrome (86.0.4240.193 - recently updated which is probably why I'm just seeing this) - these are 'reports' only, so the videos still show but 100s of errors can't be right! This is what I'm seeing:
[Report Only] Refused to evaluate a string as JavaScript because 'unsafe-eval' is not an allowed source of script in the following Content Security Policy directive: "script-src 'strict-dynamic' 'unsafe-inline' https: 'report-sample' 'nonce-t9IE7nI2leo7qKxsm7d80g=='".这是我的iFrame-
Here's my iFrame --
<iframe id="video-iframe" width="500" height="281" src="www.youtube/embed/HIDDENVIDEO" frameborder="0" allowfullscreen ></iframe>我不知道CSP应该是什么-这是我发现它显然解决了他们的问题的原因-
I cannot figure out what the CSP should be -- here's one that I found that apparently solved their problem --
<iframe id="video-iframe" width="500" height="281" src="www.youtube/embed/HIDDENVIDEO" frameborder="0" allowfullscreen csp="script-src 'self' www.google-analytics/ www.youtube/ s.ytimg/; object-src 'self'; child-src www.youtube/* s.ytimg/"></iframe>没什么-我只是看到:拒绝显示....
Not so much -- I just see: Refused to display....
非常感谢任何帮助.
我刚刚检查了 developers.google/youtube/iframe_api_reference#Examples 页面,我看到的是同一件事-当然不应该发生这种情况,对吧?
I just checked the developers.google/youtube/iframe_api_reference#Examples page and I'm seeing the same thing -- surely this shouldn't be happening, right?
推荐答案
如您所见,此错误不是由您的CPS触发的-您没有'nonce-t9IE7nI2leo7qKxsm7d80g ==''''令牌.此错误出现在Google的< iframe> 中,并且完全是Google的内部交易.
As you can see, this error is triggered not your CPS - your's do not have 'nonce-t9IE7nI2leo7qKxsm7d80g=='" token. This error appears within Google's <iframe> and it's totally Google's internal deal.
事实是,以前的多个Chrome版本都有一个错误,并且没有阻止eval 表达式.在Chrome版本86中,他们修复了该错误,并通过设置仅报告"标头并对其进行虚假调用来评估此错误,以评估报告.
The fact is that several previous versions of Chrome had a bug and did not block eval expressions. In version 86 Chrome, they fixed this bug, and to verify this, they set the Report-Only header and made a fake call to eval to see reports.
用于YouTube的CSP 非常简单,不需要不安全评估",因为所有可在孤立的iframe中使用: frame-src youtube www.youtube; 足以在iframe中使用Youtube.
CSP for Youtube is very simple and does not require 'unsafe-eval', because all works within isolated iframe: frame-src youtube www.youtube; is enough to allow for Youtube in iframe.
BT方式,您的CSP具有错误-路径部分不允许 * .并请小心< iframe csp = -如果服务器不同意您的CSP,内容将被阻止.但这< iframe csp = 发挥了作用是因为Chrome浏览器再次出现错误-如果Content-Security-Policy标头存在,它将忽略Content-Security-Policy-Report-Only.
Bt the way, your CSP has an error - the * is not allowed in path-part. And be careful with <iframe csp= - if server does not agree with your CSP, content will be blocked. But this <iframe csp= played the role because of once more Chrome bug - it ignores Content-Security-Policy-Report-Only if Content-Security-Policy header presence.
更多推荐
嵌入YouTube视频的CSP
发布评论