Download structure - setting content security policy does not work?

Question

Download structure - setting content security policy does not work?

I use sbt to create a playscala -seed project and add a simple one:

<button id="doclick" onclick="doConsole();">click</button>

But when I start the project and press the button. The console displays an error message:

localhost /: 17 Refuses to execute the built-in event handler because it violates the following content security policy directive: "default-src *". To enable inline execution, either the "unsafe-inline" keyword or a hash ("sha256 -...") or nonce ("nonce -...") is required. Also note that 'script -src' is not explicitly set, so 'default-src' is used as a backup.

application.conf

 play.http.filters = "filter.Filters" play.filters.headers.contentSecurityPolicy="script-src 'self' 'unsafe-inline'"

Just follow the white paper game security devices

I missed something or got the wrong path, still can't call the inline script?

+5

playframework

jenkin Nov 08 '16 at 7:49

source share

1 answer

WeiChing Lin · Answer 1 · 2018-01-10T12:06:36+0000

I have the same problem and find a solution after two hours of messing with it.
I use dependency injection at compile time, and I change the mixin application from HttpFiltersComponents to NoHttpFiltersComponents , which solve the problem.

Download structure - setting content security policy does not work?

More articles: