我不确定为什么它允许来自谷歌字体的其他字体,但它总是阻止材料图标和 fontawesome。我尝试用不同的方式编写谷歌字体,但它仍然不起作用。我不确定编写允许的域的正确方法是什么如果我将添加“*”设置到列表的末尾,那么谷歌材料字体会正确加载。请让我知道我做错了什么,这是我的代码
const safeToLoadFonts = [
"'self'",
'fonts.googleapis.com/icon?family=Material+Icons',
'fonts.googleapis.com/*',
'fonts.googleapis.com/',
'googleapis.com/*',
'googleapis.com/',
'https://cdnjs.cloudflare.com/ajax/libs/font-awesome/6.0.0-beta2/css/all.min.css',
'cdnjs.cloudflare.com/ajax/libs/font-awesome/6.0.0-beta2/css/all.min.css',
"'unsafe-inline'",
]
app.use(
helmet.contentSecurityPolicy({
directives: {
// defaultSrc: ['*', "'unsafe-inline'"],
// "script-src": ['*', "'unsafe-inline'"],
// "style-src": ['*', "'unsafe-inline'"],
"font-src": safeToLoadFonts,
// "img-src": ['*', "'unsafe-inline'"],
// "form-action":[ '*', "'unsafe-inline'"]
},
})
);
对于材质图标,我也收到此错误:
The source list for Content Security Policy directive 'font-src' contains a source with an invalid path: '/icon?family=Material+Icons'. The query component, including the '?', will be ignored.
我收到这个字体真棒错误:
Refused to load the font '<URL>' because it violates the following Content Security Policy directive: "font-src 'self' <URL> <URL> fonts.googleapis.com/icon?family=Material+Icons fonts.googleapis.com/* fonts.googleapis.com/ googleapis.com/* googleapis.com/ <URL> cdnjs.cloudflare.com/ajax/libs/font-awesome/6.0.0-beta2/css/all.min.css 'unsafe-inline'".