😎1、修复响应头安全策略 2、修覅富文本框图片显示

2025-01-11 17:30:37 +08:00 · 2025-01-11 17:30:37 +08:00 · b04f354f96
commit b04f354f96
parent 3d1f77dc94
2 changed files with 2 additions and 2 deletions
--- a/Admin.NET/Admin.NET.Web.Core/Startup.cs
+++ b/Admin.NET/Admin.NET.Web.Core/Startup.cs
@ -283,7 +283,7 @@ public class Startup : AppStartup
            // 限制 Flash 和其他插件的跨域访问，防止数据泄露
            context.Response.Headers.Append("X-Permitted-Cross-Domain-Policies", "none");
            // 限制可执行的脚本和样式，降低 XSS 攻击的风险
-            context.Response.Headers.Append("Content-Security-Policy", "default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval'; style-src 'self' 'unsafe-inline'; img-src 'self' data:;");
+            context.Response.Headers.Append("Content-Security-Policy", "style-src 'self' 'unsafe-inline';");
            // 允许浏览器使用地理位置 API，但仅限于当前站点
            context.Response.Headers.Append("Permissions-Policy", "geolocation=(self)");
            // 强制使用 HTTPS，防止中间人攻击
--- a/Web/src/components/editor/index.vue
+++ b/Web/src/components/editor/index.vue
@ -63,7 +63,7 @@ const state = reactive({
 						.apiSysFileUploadFilePostForm(file)
 						.then(({ data }) => {
 							if (data.type == 'success' && data.result) {
-								editorRef.value.insertNode({ type: 'image', src: data.result.url, alt: data.result.fileName, href: data.result.url, children: [{ text: '' }] });
+								editorRef.value.insertNode({ type: 'image', src: '/' + data.result.url, alt: data.result.fileName, href: '/' + data.result.url, children: [{ text: '' }] });
 							} else {
 								ElMessage.error('上传失败！');
 							}