Edge忽略内容安全策略中的script-src [英] Edge ignores script-src in Content Security Policy

问题描述

我有以下内容安全政策

value="default-src 'self'
       style-src 'self' 'unsafe-inline'; 
       script-src 'self' 'unsafe-inline' 'unsafe-eval' http://svc.webspellchecker.net; 
       img-src 'self' data: https://s3.amazonaws.com;
       frame-src 'self' *.salesforce.com *.force.com;"

这在Chrome和Firefox中正常运行.在Edge中，它没有运行，因为我们有一些内联脚本(即onClick="foo()).

This works fine in Chrome and Firefox. In Edge it is not running because we have some inline scripts (ie onClick="foo()).

我的理解是default-src设置默认值，而script-src应该覆盖这些默认值.

My understanding is the the default-src sets the defaults and the script-src should override those defaults.

有人知道这是否是Edge中的错误，还是我以某种方式对其进行了破坏?

Does anyone know if this is a bug in Edge, or if I've botched it in some way?

推荐答案

原来的问题是，尽管这就是我们的CSP在web.test.config中的显示方式，但该转换将以下内容放入了web.config

Turns out the problem was that though that is the way our CSP looks in our web.test.config, the transform puts the following into the web.config

value="default-src 'self'
           style-src 'self' 'unsafe-inline'; 

       script-src 'self' 'unsafe-inline' 'unsafe-eval' http://svc.webspellchecker.net; 
           img-src 'self' data: https://s3.amazonaws.com;
           frame-src 'self' *.salesforce.com *.force.com;"

基本上，XDT会用 替换值中的CRLF，这会导致Edge放弃处理CSP的操作，因此只获得第一行.

Basically the XDT replaces the CRLFs in the value with , which causes Edge to give up on processing the CSP so you only get the first line.

已提交错误. https://connect.microsoft.com/IE/feedbackdetail/view/2272282/edge-stops-processing-content-security-policy-on-xd-xa

这篇关于Edge忽略内容安全策略中的script-src的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！