我在CSP标题上将youtube API域列入白名单,但它仍然拒绝该脚本。
CSP标题
default-src 'self'; script-src 'self' https://youtube.com/iframe_api s.ytimg.com; style-src 'self' ; img-src 'self' https://i.ytimg.com; font-src 'self'; connect-src 'self'; media-src 'self'; object-src 'none' ; child-src 'none' ; frame-src https://wwww.youtube.com ; worker-src 'self' ; frame-ancestors 'none' ; form-action 'self' ; upgrade-insecure-requests; block-all-mixed-content; disown-opener; sandbox allow-scripts allow-same-origin; reflected-xss block; manifest-src 'self' ; referrer no-referrer;
错误
Refused to load the script 'https://www.youtube.com/iframe_api' because it violates the following Content Security Policy directive: "script-src 'self' https://youtube.com/iframe_api s.ytimg.com".
通过使用strict-dynamic和使用nonce解决了这个问题