From e981d4e1649688ad8588a240c32febb7ebee321b Mon Sep 17 00:00:00 2001
From: syruan <15555146157@163.com>
Date: Mon, 27 Oct 2025 14:58:17 +0800
Subject: [PATCH] =?UTF-8?q?=E4=BF=AE=E6=AD=A3csp=EF=BC=8C=E5=85=81?=
 =?UTF-8?q?=E8=AE=B8=E5=86=85=E7=BD=91IP=E8=AE=BF=E9=97=AE?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 .../java/com/bonus/aqgqj/manager/common/config/CspFilter.java   | 1 +
 .../com/bonus/aqgqj/manager/common/config/CspInterceptor.java   | 1 +
 .../bonus/aqgqj/manager/common/config/WebSecurityConfig.java    | 2 +-
 3 files changed, 3 insertions(+), 1 deletion(-)

diff --git a/src/main/java/com/bonus/aqgqj/manager/common/config/CspFilter.java b/src/main/java/com/bonus/aqgqj/manager/common/config/CspFilter.java
index c95c9c6..b02e1f3 100644
--- a/src/main/java/com/bonus/aqgqj/manager/common/config/CspFilter.java
+++ b/src/main/java/com/bonus/aqgqj/manager/common/config/CspFilter.java
@@ -21,6 +21,7 @@ public class CspFilter implements Filter {
                 "style-src 'self' 'unsafe-inline' https://cdnjs.cloudflare.com; " +
                 "img-src 'self' data:; " +
                 "font-src 'self' https://cdnjs.cloudflare.com; " +
+                "connect-src 'self' http://192.168.0.16:21520 http://127.0.0.1:21520 http://192.168.0.16:1999; " +  // ✅ 允许 AJAX 请求你的后台接口
                 "form-action 'self';";  // 新增：限制表单仅提交到当前域名
 
         httpResponse.setHeader("Content-Security-Policy", cspPolicy);
diff --git a/src/main/java/com/bonus/aqgqj/manager/common/config/CspInterceptor.java b/src/main/java/com/bonus/aqgqj/manager/common/config/CspInterceptor.java
index 150cac7..c098f87 100644
--- a/src/main/java/com/bonus/aqgqj/manager/common/config/CspInterceptor.java
+++ b/src/main/java/com/bonus/aqgqj/manager/common/config/CspInterceptor.java
@@ -16,6 +16,7 @@ public class CspInterceptor implements HandlerInterceptor {
                 "style-src 'self' 'unsafe-inline' https://cdnjs.cloudflare.com; " +
                 "img-src 'self' data:; " +
                 "font-src 'self' https://cdnjs.cloudflare.com; " +
+                "connect-src 'self' http://192.168.0.16:21520 http://127.0.0.1:21520 http://192.168.0.16:1999; " +  // ✅ 允许 AJAX 请求你的后台接口
                 "form-action 'self';";
         response.setHeader("Content-Security-Policy", csp);
         return true;
diff --git a/src/main/java/com/bonus/aqgqj/manager/common/config/WebSecurityConfig.java b/src/main/java/com/bonus/aqgqj/manager/common/config/WebSecurityConfig.java
index c6f6d97..56de700 100644
--- a/src/main/java/com/bonus/aqgqj/manager/common/config/WebSecurityConfig.java
+++ b/src/main/java/com/bonus/aqgqj/manager/common/config/WebSecurityConfig.java
@@ -21,7 +21,7 @@ public class WebSecurityConfig implements WebMvcConfigurer {
                 // response.setHeader("X-Frame-Options", "SAMEORIGIN");
 
                 // 补充 CSP 头（增强安全性，与 X-Frame-Options 配合）
-                response.setHeader("Content-Security-Policy", "frame-ancestors 'none'"); // 禁止所有嵌入
+                response.setHeader("Content-Security-Policy", "frame-ancestors 'self'"); // 禁止所有嵌入
                 // 若允许同源：frame-ancestors 'self';
                 return true;
             }