使用 7.4.1,当我加载带有 videojs 的页面时,Chrome devtools 向我显示此错误:
Refused to create a worker from
'blob:https://dev.culturediscovery.com/51e9879d-fa81-4044-9117-
7328c0df4dd6' because it violates the following Content Security Policy directive: "default-src * data: 'unsafe-eval' 'unsafe-inline'". Note that 'worker-src' was not explicitly set, so 'default-src' is used as a fallback.
(anonymous) @ video.min.js:1830
(anonymous) @ video.min.js:2
(anonymous) @ video.min.js:2
谁能帮我弄清楚如何处理这个问题?
最佳答案
该错误与 Content Security Policy 有关正如回溯所暗示的那样。所以如果 default-src
或 worker-src
在 CSP 指令中,每次尝试在 browser that supports CSP for workers 中生成 worker 必须通过此指令或抛出错误。
关于 blob worker 有一个特别说明:
To specify a content security policy for the worker, set a Content-Security-Policy response header for the request which requested the worker script itself.
The exception to this is if the worker script's origin is a globally unique identifier (for example, if its URL has a scheme of data or blob). In this case, the worker does inherit the content security policy of the document or worker that created it.
source: MDN: CSP in workers
因此,创建 blob url 的页面(或 iframe)具有 CSP 指令:
"default-src * data: 'unsafe-eval' 'unsafe-inline'"
现在考虑以下:
As defined above, special URL schemes that refer to specific pieces of unique content, such as "data:", "blob:" and "filesystem:" are excluded from matching a policy of * and must be explicitly listed.
这意味着您需要显式添加
blob:
数据架构到 default-src
或 worker-src
:"default-src * data: 'unsafe-eval' 'unsafe-inline' blob:"
关于javascript - 查看 Chrome 控制台时 video.min.js 出现 "Refused to create worker from blob"错误,我们在Stack Overflow上找到一个类似的问题: https://stackoverflow.com/questions/54695310/