【发布时间】:2023-03-30 08:09:02
【问题描述】:
我只希望加载来自我的站点、youtube 和 addthis 的脚本,不允许其他任何内容。这是我的 crossdomain.xml
<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.adobe.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
<allow-access-from domain="my website url"/>
<allow-access-from domain="www.youtube.com"/>
<allow-access-from domain="ct1.addthis.com"/>
</cross-domain-policy>
谁能告诉我哪里出了问题或者如何验证我的网站是否使用了 crossdomain.xml 文件?
亲切的问候, 哈利
编辑:
<IfModule mod_headers.c>
Header set X-Content-Security-Policy: "allow 'self'; options inline-script; img-src 'self' data:"
<FilesMatch "\.(appcache|crx|css|eot|gif|htc|ico|jpe?g|js|m4a|m4v|manifest|mp4|oex|oga|ogg|ogv|otf|pdf|png|safariextz|svgz?|ttf|vcf|webapp|webm|webp|woff|xml|xpi)$">
Header unset Content-Security-Policy
</FilesMatch>
</IfModule>
我在哪里添加https://www.youtube.com 以允许播放我的嵌入视频?这是堆栈跟踪,尽管我怀疑它是否很有帮助。
Error in event handler for (unknown): Blocked a frame with origin "https://www.youtube.com" from accessing a cross-origin frame.
Stack trace: Error: Blocked a frame with origin "https://www.youtube.com" from accessing a cross-origin frame.
at Error (native)
at setupffoverrides (chrome-extension://hdokiejnpimakedhajhdlcegeplioahd/onloadwff.js:151:86)
at checkgenpwfillforms (chrome-extension://hdokiejnpimakedhajhdlcegeplioahd/onloadwff.js:152:33)
at receiveBG (chrome-extension://hdokiejnpimakedhajhdlcegeplioahd/onloadwff.js:130:210)
at Function.target.(anonymous function) (extensions::SafeBuiltins:19:14)
at EventImpl.dispatchToListener (extensions::event_bindings:395:22)
at Function.target.(anonymous function) (extensions::SafeBuiltins:19:14)
at Event.publicClass.(anonymous function) [as dispatchToListener] (extensions::utils:65:26)
at EventImpl.dispatch_ (extensions::event_bindings:378:35)
at EventImpl.dispatch (extensions::event_bindings:401:17)
编辑 2:
我已将其更改为以下内容,但仍然得到相同的跟踪。
Header set X-Content-Security-Policy: "allow 'self' https://www.youtube.com; options inline-script; img-src 'self' data:"
【问题讨论】:
标签: apache security centos xss content-security-policy