Мое приложение обязано использовать шрифты Google. Здесь ссылка
<link href="https://fonts.googleapis.com/icon?family=Material+Icons" rel="stylesheet" >
<link href="https://fonts.googleapis.com/css?family=Open+Sans:400,600,100|Raleway:400,600,100" rel="stylesheet" >
<link href="https://fonts.googleapis.com/css?family=Roboto&display=swap" rel="stylesheet" >
Браузер заблокировал запрос из-за content security policy. Тогда я использую Joonasw.AspNetCore.SecurityHeaders . Так вот мои конфигурации в Startup.cs
public void Configure(IApplicationBuilder app, IWebHostEnvironment env) {
app.UseSerilogRequestLogging();
if (env.IsDevelopment()) {
app.UseDeveloperExceptionPage();
}
else {
app.UseExceptionHandler("/Error");
// The default HSTS value is 30 days. You may want to change this for production scenarios, see https://aka.ms/aspnetcore-hsts.
//app.UseHsts();
}
app.UseHsts(new HstsOptions(TimeSpan.FromDays(30), includeSubDomains: false, preload: false));
// Use certificate pinning with:
// - 30-day caching period
// - One pin in SHA-256 form
// - Report-Only = Invalid certificate should not be reported, but:
// - Report problems to /hpkp-report
app.UseHpkp(hpkp = >{
hpkp.UseMaxAgeSeconds(30 * 24 * 60 * 60).AddSha256Pin("nrmpk4ZI3wbRBmUZIT5aKAgP0LlKHRgfA2Snjzeg9iY=").SetReportOnly().ReportViolationsTo("/hpkp-report");
});
app.UseCsp(csp = >{
// If nothing is mentioned for a resource class, allow from this domain
csp.ByDefaultAllow.FromSelf();
// Allow JavaScript from:
csp.AllowScripts.FromSelf() //This domain
.From("cdnjs.cloudflare.com").AddNonce(); //<----;
// CSS allowed from:
csp.AllowStyles.FromSelf().From("fonts.googleapis.com").From("fonts.gstatic.com").AddNonce(); //<----;
csp.AllowImages.FromSelf();
// HTML5 audio and video elemented sources can be from:
csp.AllowAudioAndVideo.FromNowhere();
// Contained iframes can be sourced from:
csp.AllowFrames.FromNowhere(); //Nowhere, no iframes allowed
// Allow AJAX, WebSocket and EventSource connections to:
csp.AllowConnections.To("ws://localhost:1591").To("http://localhost:1591").ToSelf();
// Allow fonts to be downloaded from:
csp.AllowFonts.FromSelf().From("fonts.googleapis.com").From("fonts.gstatic.com");
// Allow object, embed, and applet sources from:
csp.AllowPlugins.FromNowhere();
// Allow other sites to put this in an iframe?
csp.AllowFraming.FromNowhere(); // Block framing on other sites, equivalent to X-Frame-Options: DENY
//// Do not block violations, only report
//// This is a good idea while testing your CSP
//// Remove it when you know everything will work
//csp.SetReportOnly();
//// Where should the violation reports be sent to?
//csp.ReportViolationsTo("/csp-report");
// Do not include the CSP header for requests to the /api endpoints
csp.OnSendingHeader = context = >{
context.ShouldNotSend = context.HttpContext.Request.Path.StartsWithSegments("/api");
return Task.CompletedTask;
};
});
app.Use((context, next) = >{
context.Request.Scheme = "https";
return next();
});
app.UseCors("api");
app.UseStaticFiles();
app.UseRouting();
app.UseIdentityServer();
app.UseAuthorization();
app.UseEndpoints(endpoints = >{
endpoints.MapDefaultControllerRoute();
});
//app.UseHttpsRedirection();
app.UseSwagger();
app.UseSwaggerUI(c = >{
c.SwaggerEndpoint("/swagger/v1/swagger.json", "API V1");
});
Но все равно показывают ту же ошибку. Вот скриншот
Вот пример запроса, не уверен, почему по запросу не вставлен заголовок безопасности
Я сделал неправильную конфигурацию? Использование. net core 3.1