[null,null,["最后更新时间 (UTC):2024-11-24。"],[[["\u003cp\u003eContent Security Policy (CSP) secures your webpage by controlling resource loading and execution, and Google Publisher Tag (GPT) supports strict CSP using nonces.\u003c/p\u003e\n"],["\u003cp\u003eStrict CSP requires setting a \u003ccode\u003eContent-Security-Policy\u003c/code\u003e header with a random nonce, applied to all script tags including GPT's \u003ccode\u003egpt.js\u003c/code\u003e.\u003c/p\u003e\n"],["\u003cp\u003eCross-domain rendering is necessary with CSP and GPT, enabled by calling \u003ccode\u003egoogletag.pubads().setForceSafeFrame(true)\u003c/code\u003e before ad slots load.\u003c/p\u003e\n"],["\u003cp\u003eTo avoid breaking your site, it's recommended to test your CSP policies first using the \u003ccode\u003eContent-Security-Policy-Report-Only\u003c/code\u003e header for monitoring violations.\u003c/p\u003e\n"]]],["Content Security Policy (CSP) secures web pages by controlling allowed resources. For Google Publisher Tag (GPT), only strict CSP using nonces is supported due to dynamic domain usage. Implementation involves: 1) Enabling CSP on the server by adding a `Content-Security-Policy` header, applying nonces to all script tags, including `gpt.js`, and defining directives like `script-src` and 2) Enabling cross-domain rendering for all ads using `googletag.pubads().setForceSafeFrame(true)`. Testing should use the `Content-Security-Policy-Report-Only` header.\n"],null,["# Integrate with a Content Security Policy\n\n[Content Security Policy](//csp.withgoogle.com/) (CSP) is a means of securing\nyour web page by limiting what resources and scripts are allowed to load and\nexecute. You can enable CSP by setting a `Content-Security-Policy` header in\nHTTP responses from your web server.\n\nThere are two standard ways to configure CSP:\n\n1. Specify an allowlist of domains that can inject their resources on the page.\n\n2. Specify a random nonce, with which resources on the page must be marked in\n order to load. This approach is known as [strict CSP](//csp.withgoogle.com/docs/strict-csp.html).\n\nBecause the domains that Google Publisher Tag (GPT) uses change over\ntime, we only support strict CSP (option 2). This approach removes the need to\nmaintain a rolling list of domains that might become outdated and break your\nsite.\n\nSetting up CSP with GPT\n-----------------------\n\n1. Enable CSP on your web server.\n\n Follow the steps outlined in [adopting strict CSP](//csp.withgoogle.com/docs/adopting-csp.html) to\n set up the CSP header and apply the nonce to every script tag on your page,\n including `gpt.js`. GPT specifically supports the following\n CSP directives: \n\n Content-Security-Policy:\n object-src 'none';\n script-src 'nonce-{random}' 'unsafe-inline' 'unsafe-eval' 'strict-dynamic' https: http:;\n base-uri 'none';\n report-uri https://your-report-collector.example.com/\n\n You can choose a more permissive policy if it fits your use case. More\n restrictive policies may break without notice.\n2. Enable cross-domain rendering.\n\n Ad iframes can load external resources that might not be permitted by the\n CSP. Since same domain iframes inherit the top level window's CSP, and\n GPT cannot control the creative's contents, same-domain\n creatives will generally not work properly with CSP headers.\n\n To enable cross domain rendering for all creatives, execute\n [`googletag.setConfig({ safeFrame: { forceSafeFrame: true } })`](/publisher-tag/reference#googletag.config.PageSettingsConfig.safeFrame)\n before loading any ad slots.\n **Note:** Certain reservation creatives may depend on being rendered in a same domain iframe and fail to load with safe frame enabled globally. Check your inventory to see if this is the case; one indicator is the creative content checking for the existence of `inDapIF` or `inGptIF` variables. \n\n \u003c!doctype html\u003e\n \u003chtml\u003e\n \u003chead\u003e\n \u003cmeta charset=\"utf-8\"\u003e\n \u003ctitle\u003eHello GPT\u003c/title\u003e\n \u003cscript src=\"https://securepubads.g.doubleclick.net/tag/js/gpt.js\" nonce=\"KC7tcz53FHqumKP1\" async\u003e\u003c/script\u003e\n \u003cscript nonce=\"KC7tcz53FHqumKP1\"\u003e\n window.googletag = window.googletag || {cmd: []};\n googletag.cmd.push(function() {\n googletag.setConfig({ safeFrame: { forceSafeFrame: true } });\n });\n \u003c/script\u003e\n \u003c/head\u003e\n\nTesting\n-------\n\nWe recommend that you test your policies first by setting the\n[`Content-Security-Policy-Report-Only`](/web/fundamentals/security/csp#reporting) header instead of\n`Content-Security-Policy`. The header reports violations but still allows\nthem on the page."]]