微信里会改CSP内容安全策略吗?
发布于 7 年前 作者 dpeng 1511 次浏览 来自 问答

ios环境:

1、通过微信访问我们的web(test.aspx)页面,页面中有new Function(‘arg1’, code)的代码,第一次访问没问题。

2、页面跳转到http://127.0.0.1:8888/test.docx(window.location.href=‘http://ip:port/test.docx’),没问题。

3、按返回键(history.go(-1))返回到步骤1的页面,执行new Function时,被浏览器拒绝,

try

{

    new Function(‘arg1’, code);

catch(e)

{

    console.log(e.message)   //Refused to evaluate a  string as JavaScirpt because ‘unsafe-eval’ is not allowed source of script in the following Content Security Policy directive :“default-src x-apple-ql-id: ‘unsafe-inline’”;

}

4、即使我在页面(test.aspx)页面中添加<meta http-equiv=“Content-Security-Policy” content=“script-src ‘unsafe-eval’ ‘self’ ‘unsafe-inline’;”> 也不行。

5、微信中是不是会设置浏览器的CSP规则?

1 回复

Answer: This is a bug in Apple QuickLook. When you e.g. open Excel document from your page, it is opened in browser using QuickLook and QuickLook patches your CSP policy to add “x-apple-ql-id:” source. When you navigate back, CSP is not restored and could lead to violation reports.

回到顶部