【问题标题】:I'm loading a angular app uplaoded on firebase in facebook webview. Getting refused to frame error我正在 facebook webview 的 firebase 上加载一个 Angular 应用程序。被拒绝帧错误
【发布时间】:2021-11-16 20:25:52
【问题描述】:

我正在 facebook webview 中加载上传到 firebase 的 Angular 应用程序。被拒绝为 API 和视图构建错误。我也在 index.html 中添加了元标记。

错误

HTML 渲染错误

[Report Only] Refused to frame 'https://yyyyyyy/' because it violates the following Content Security Policy directive: "frame-src *.doubleclick.net *.google.com *.facebook.com www.googleadservices.com *.fbsbx.com".

VM346 referer_frame.php:1 [Report Only] Refused to frame 'https://yyyyyyyy/' because it violates the following Content Security Policy directive: "frame-src *.doubleclick.net *.google.com *.facebook.com www.googleadservices.com *.fbsbx.com".

API 调用阻塞错误

zone-evergreen.js:2845 Refused to connect to 'https://xxxxxxxx' because it violates the following Content Security Policy directive: "default-src 'self' data: gap: https://ssl.gstatic.com 'unsafe-eval'". Note that 'connect-src' was not explicitly set, so 'default-src' is used as a fallback.

我在 index.html 中添加了以下元标记

元标记: API 网址:https://xxxxxx/ Firebase 网址:https://yyyyyy/

<meta http-equiv="Content-Security-Policy" content="frame-src *.doubleclick.net *.google.com *.facebook.com www.googleadservices.com *.fbsbx.com https://yyyyyy/ frame-src *.doubleclick.net *.google.com *.facebook.com www.googleadservices.com *.fbsbx.com">  
  
<meta http-equiv="Content-Security-Policy" content="default-src 'self'  data: gap: https://ssl.gstatic.com 'unsafe-eval' https://xxxxxx/">

感谢您的帮助:)

【问题讨论】:

    标签: angular iframe content-security-policy facebook-iframe facebook-webhooks


    【解决方案1】:

    Facebook 有一个 CSP,它禁止在他的页面中插入 iframe。错误:

    [Report Only] Refused to frame 'https://yyyyyyy/' because it violates the following Content Security Policy directive:
      "frame-src *.doubleclick.net *.google.com *.facebook.com www.googleadservices.com *.fbsbx.com".
    

    属于这个facebook的CSP,这个已经搞清楚了here

    请注意,这种 CSP 违规甚至在您添加元标记之前就已出现。
    无论如何,没有办法通过添加您自己的来减轻第三方 CSP。您的 CSP 在您的 iframe 中运行,但主页 (*.facebook.com) 将遵循 facebook 的 CSP。

    【讨论】:

      猜你喜欢
      • 2021-04-30
      • 1970-01-01
      • 1970-01-01
      • 1970-01-01
      • 1970-01-01
      • 1970-01-01
      • 2016-09-25
      • 2020-09-11
      • 2013-02-01
      相关资源
      最近更新 更多