Header 配置 Content-Security-Policy，html 不生效

Tencent / nohost

基于 Whistle 实现的多账号多环境远程配置及抓包调试平台

https://nohost.pro

Other

1.4k stars 160 forks source link

Header 配置 Content-Security-Policy，html 不生效 #151

Closed haovei closed 2 years ago

haovei commented 2 years ago

拦截配置

resHeaders://{safe-res-headers}

safe-res-headers

X-Content-Type-Options: nosniff
X-XSS-Protection: 1; mode=block
Content-Security-Policy: default-src 'self'
Strict-Transport-Security: max-age=31536000; includeSubDomains
Referrer-Policy: same-origin
X-Permitted-Cross-Domain-Policies: master-only
X-Download-Options: noopen
X-Frame-Options: SAMEORIGIN

其他配置在response 的 header 都有，唯独 Content-Security-Policy 没有。请问是什么原因导致？

haovei commented 2 years ago

其他请求 header 都会带 Content-Security-Policy。只有 html 没带

avwo commented 2 years ago

因为页面会注入小圆点，所以会自动删除 csp 头，要在管理后台的 Whistle 配置规则 pattern enable://keepCSP 试试

haovei commented 2 years ago

配置 enable://keepCSP 解决了