大家好,Stack Overflow 社区,我在生产服务器上遇到了与内容安全策略 (CSP) 相关的 Livewire 问题。以下是我的设置和问题概述
大家好,Stack Overflow 社区,
我在生产服务器上遇到了与内容安全策略 (CSP) 相关的 Livewire 问题。以下是我的设置和我面临的问题的简要概述:
设置:
开发环境:
操作系统:Laragon 上的本地开发
Web 服务器:Nginx
Laravel 版本:10
Livewire 版本:3.4
NPM 版本:9.8.1
Node.js 版本:18.18.2
Vite 版本:3.0.2
浏览器:在 Chrome 上测试
生产环境:
操作系统:Ubuntu 20.04.6 LTS
Web 服务器:Nginx v1.18.0
Laravel 版本:10
Livewire 版本:3.4
NPM 版本:10.7.0
Node.js 版本:20.13.1
Vite 版本:3.2.10
浏览器:在 Chrome 上测试
问题:
在生产环境中,当访问应用程序时,遇到与 Livewire 的 JavaScript 文件相关的错误:
警告:
Alpine Expression Error: Refused to evaluate a string as JavaScript because 'unsafe-eval' is not an allowed source of script in the following Content Security Policy directive: "default-src 'self' http: https: ws: wss: data: blob: 'unsafe-inline'".
Expression: "tableWrapper($wire, )"
错误:
Uncaught EvalError: Refused to evaluate a string as JavaScript because 'unsafe-eval' is not an allowed source of script in the following Content Security Policy directive: "default-src 'self' http: https: ws: wss: data: blob: 'unsafe-inline'".
at new AsyncFunction (<anonymous>)
at safeAsyncFunction (livewire.js?id=239a5c52:1254:21)
at generateFunctionFromString (livewire.js?id=239a5c52:1264:16)
at generateEvaluatorFromString (livewire.js?id=239a5c52:1269:16)
at normalEvaluator (livewire.js?id=239a5c52:1234:111)
at evaluateLater (livewire.js?id=239a5c52:1224:12)
at evaluate (livewire.js?id=239a5c52:1220:5)
at Function.<anonymous> (livewire.js?id=239a5c52:3491:17)
at flushHandlers (livewire.js?id=239a5c52:1358:48)
at stopDeferring (livewire.js?id=239a5c52:1363:7)
NGINX 配置:
以下是生产服务器的 Nginx 配置:
server {
listen 443 ssl http2;
server_name system.example.com;
set $base /app/system;
root $base/public;
add_header Content-Security-Policy "default-src 'self' http: https: ws: wss: data: blob: 'unsafe-inline'";
include nginxconfig.io/ssl.conf;
include nginxconfig.io/security.conf;
access_log /var/log/nginx/system-access.log combined buffer=512k flush=1m;
error_log /var/log/nginx/system-error.log warn;
index index.php;
location / {
try_files $uri $uri/ /index.php?$query_string;
}
include nginxconfig.io/general.conf;
location ~ \.php$ {
fastcgi_pass unix:/var/run/php/php-fpm.sock;
include nginxconfig.io/php_fastcgi.conf;
}
location = /livewire/livewire.js {
expires off;
try_files $uri $uri/ /index.php?$query_string;
}
}
server {
listen 80;
server_name system.example.com;
location / {
return 301 https://system.example.com$request_uri;
}
}
我尝试过的:
-
我尝试将 unsafe-eval 添加到 CSP 标头。:
add_header Content-Security-Policy "default-src 'self' http: https: ws: wss: data: blob: 'unsafe-inline' 'unsafe-eval'";
-
我已经验证服务器上存在必要的文件。
尽管做出了这些努力,问题仍然存在。任何关于如何正确配置 Livewire 以使用严格 CSP 的指导,或避免使用 unsafe-eval 的替代方法,都将不胜感激。
谢谢你!