在本地项目中集成 Stripe API 时,我遇到了与 内容安全策略 (CSP) 和 Web Workers 相关的问题。
当我尝试加载集成了 Stripe.js 的页面时,我在控制台中收到以下错误:
Refused to create a worker from 'blob:https://m.stripe.network/9ebe38a1-64c4-425e-835f-e4af76e27553' because it violates the following Content Security Policy directive: "script-src https://m.stripe.network 'sha256-/5Guo2nzv5n/w6ukZpOBZOtTJBJPSkJ6mhHpnBgm3Ls='". Note that 'worker-src' was not explicitly set, so 'script-src' is used as a fallback.
该错误表明 Stripe 正在尝试从
blob:我已更新 HTML 代码中的 CSP 策略,特别是在
worker-srcblob:<meta http-equiv="Content-Security-Policy" content="default-src *; script-src *; style-src *; img-src *; font-src *; connect-src *; frame-src *; object-src *; child-src *; media-src *; manifest-src *; worker-src * blob:;">
即使包含
worker-src * blob:<!DOCTYPE html>
<html lang="en">
<head>
<meta charset="UTF-8">
<meta http-equiv="Content-Security-Policy"
content="default-src * blob:; script-src *; style-src *; img-src *; font-src *; connect-src *; frame-src *; object-src *; child-src *; media-src *; manifest-src *; worker-src * blob:;">
<meta name="viewport" content="width=device-width, initial-scale=1.0">
<script src="https://code.jquery.com/jquery-3.7.1.min.js" integrity="sha256-/JqT3SQfawRcv/BIHPThkBvs0OEvtFFmqPF/lYI/Cxo=" crossorigin="anonymous"></script>
<script src="https://js.stripe.com/v3/"></script>
<title>Stripe Integration - Proof of Concept</title>
</head>
<body>
<form action="">
<label for="">Label</label>
<input type="text" name="" id="">
</form>
<script>
const stripe = Stripe('pk_test_---');
</script>
</body>
</html>
错误消息表明问题与缺乏适当的 CSP 指令有关,该指令允许从
blob:blob:worker-src*script-src *blob:如果我是否错过了任何步骤,或者是否有更有效的方法可以以安全的方式在内容安全策略中允许
blob:预先感谢您的帮助。
127.0.0.1:5500这些是 Stripe.js 需要的 CSP 指令 https://docs.stripe.com/security/guide?csp=csp-js#content-security-policy
您可以将它们添加到您的集成中并重试吗?