ios环境:
1、通过微信访问我们的web(test.aspx)页面,页面中有new Function('arg1', code)的代码,第一次访问没问题。
2、页面跳转到http://127.0.0.1:8888/test.docx(window.location.href='http://ip:port/test.docx'),没问题。
3、按返回键(history.go(-1))返回到步骤1的页面,执行new Function时,被浏览器拒绝,
try
{
new Function('arg1', code);
}
catch(e)
{
console.log(e.message) //Refused to evaluate a string as JavaScirpt because 'unsafe-eval' is not allowed source of script in the following Content Security Policy directive :"default-src x-apple-ql-id: 'unsafe-inline'";
}
4、即使我在页面(test.aspx)页面中添加<meta http-equiv="Content-Security-Policy" content="script-src 'unsafe-eval' 'self' 'unsafe-inline';"> 也不行。
5、微信中是不是会设置浏览器的CSP规则?
Answer: This is a bug in Apple QuickLook. When you e.g. open Excel document from your page, it is opened in browser using QuickLook and QuickLook patches your CSP policy to add "x-apple-ql-id:" source. When you navigate back, CSP is not restored and could lead to violation reports.