1. 首页
  2. 问答
  3. [halo-dev/halo]Halo默认主题,在HTTPS下,拉取文件问题

[halo-dev/halo]Halo默认主题,在HTTPS下,拉取文件问题

2024-04-02 471 views
5

默认主题出现问题: image

拉取部分文件的时候出现: Uncaught EvalError: Refused to evaluate a string as JavaScript because 'unsafe-eval' is not an allowed source of script in the following Content Security Policy directive: "default-src 'self' http: https: ws: wss: data: blob: 'unsafe-inline'".

我的blog站点在nginx代理之后,利用https://www.digitalocean.com/community/tools/nginx生成, 站点SSL配置如下: image image

主题或者Halo是否存在SSL安全配置不当问题? 部分SSL安全配置如下: add_header X-XSS-Protection "1; mode=block" always; add_header X-Content-Type-Options "nosniff" always; add_header Referrer-Policy "no-referrer-when-downgrade" always; add_header Content-Security-Policy "default-src 'self' http: https: ws: wss: data: blob: 'unsafe-inline'; frame-ancestors 'self';" always; add_header Permissions-Policy "interest-cohort=()" always; add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;

sethome2

回答

6

补充说明,非HTTP下没问题

sethome2

4 
add_header Content-Security-Policy "default-src 'self' http: https: ws: wss: data: blob: 'unsafe-inline'; frame-ancestors 'self';" always;

似乎是因为这行配置导致的,浏览器日志说的是 main.iife.js 包含了不安全的 eval 函数,但我搜了一下并没有发现,不太清楚为什么会有这个异常。

/kind support

ruibaby

0

目前我已经把digitalocean生成的nginx配置修改了,Content Security Policy的安全策略设置为空,该设置主要还是防止XSS,脚注入一类的。

但是wordpress和alist之类能在这个限制条件下正常运行,本人不是前端,只是不负责任的猜测一下,可能是halo的JS修改了frame的部分,错误再往前一些可以看到浏览器阻止JS修改了@click.outside等属性(我截图截少了)。

问题主要还是nginx的这边,既然这样我就关闭该issue了。开发团队未来可以考虑新增一下关于安全配置方面的指导,感谢回复。

sethome2

3

如果有这个异常,那应该和 alpinejs 这个库有关,但我目前也不太清楚为什么会触发这个异常,晚点我研究一下它的实现。

ruibaby

9

确实是 CSP 的配置阻止了 unsafe-eval 的执行。我在本地已经复现了该问题:

HTTP/1.1 200 OK
Content-Type: text/html
Content-Language: en-US
X-Content-Type-Options: nosniff
X-Frame-Options: SAMEORIGIN
X-XSS-Protection: 0
Content-Security-Policy: default-src 'self' http: https: ws: wss: data: blob: 'unsafe-inline'; frame-ancestors 'self';
Referrer-Policy: strict-origin-when-cross-origin
content-encoding: gzip
content-length: 3800
main.iife.js?v=1.5.0:5 Uncaught EvalError: Refused to evaluate a string as JavaScript because 'unsafe-eval' is not an allowed source of script in the following Content Security Policy directive: "default-src 'self' http: https: ws: wss: data: blob: 'unsafe-inline'".

    at new AsyncFunction (<anonymous>)
    at main.iife.js?v=1.5.0:5:638
    at vn (main.iife.js?v=1.5.0:5:797)
    at yn (main.iife.js?v=1.5.0:5:842)
    at qt (main.iife.js?v=1.5.0:5:287)
    at A (main.iife.js?v=1.5.0:5:165)
    at main.iife.js?v=1.5.0:5:35437
    at Function.<anonymous> (main.iife.js?v=1.5.0:5:11088)
    at r (main.iife.js?v=1.5.0:5:2181)
    at i (main.iife.js?v=1.5.0:5:2211)

JohnNiang