内容安全策略在Internet Explorer 11中不起作用 [英] Content Security Policy does not work in Internet Explorer 11

问题描述

在我的asp.net核心应用程序中，对于每个响应，我都添加了内容安全策略标头.我了解对于IE，标头名称为X-Content-Security-Policy，对于其他浏览器(如chrome)，其标头名称为Content-Security-Policy

In my asp.net core application for each response i'm adding content security policy header. I understand that for IE, the header name is X-Content-Security-Policy and for other browsers like chrome its Content-Security-Policy

标头值如下所示，其中每个响应的nonce不同.

The header value looks something like below where nonce is different for each response.

default-src 'none';   
script-src 'self' 'nonce-somerandomvalue-differnt-foreach-reasone' 'unsafe-eval';  
style-src 'self' 'unsafe-inline';   
img-src 'self' data:;   
font-src 'self';    
object-src 'self';   
connect-src 'self';   
report-uri /csp/report;   

该应用程序在少数页面上使用嵌入式javascript.因此，要解决内联脚本违规问题，我在脚本标记中添加了相同的nonce值.
<script type="text/javascript" nonce="somerandomvalue-differnt-foreach-reasone">
这里重要的是，现时值需要与标头中的现时值匹配. 此处的一些详细信息

The application is using inline javascript on few pages. So to fix inline-script violation i am adding same nonce value in script tag.
<script type="text/javascript" nonce="somerandomvalue-differnt-foreach-reasone">
Important thing here is the nonce value needs to match with the nonce value in header. some details here

我实现了中间件&标记帮助器，将现时值添加到标头&脚本标签.而且我确保在页面呈现时两个nonce值都匹配.

I implemented middleware & tag-helper which adds nonce into header & script tag respectively. And i made sure that both nonce values does match when page renders.

然后仅出于测试目的，我在页面上添加了脚本没有随机数

Then just for testing purpose on a page i added script without nonce

<script type="text/javascript">
    $(function () {
        alert('i am hacker');
    })
</script>

Google chrome检测到此违规行为，并按预期阻止了上述脚本.但是，在IE 11以上版本中，脚本将被执行而没有任何冲突.同样，我确保IE中的标头为X-Content-Security-Policy

Google chrome detects this violation and blocks the above script as expected. However in IE 11 above script gets executed without any violation. Again, I made sure the header in IE is X-Content-Security-Policy

为什么IE 11没有阻止脚本?

Why IE 11 is not blocking script?

推荐答案

IE 11完全不支持使用nonce属性和nonce-源值.

IE 11 doesn’t support use of the nonce attribute and nonce- source value at all.

IE11唯一支持的CSP指令是sandbox指令.它会忽略所有其他CSP指令.

The only CSP directive IE11 supports is the sandbox directive. It ignores all other CSP directives.

因此您只需将'nonce-somerandomvalue-differnt-foreach-reasone'部分从X-Content-Security-Policy标头中完全删除，IE11仍将允许内联脚本.

So you could just completely drop the 'nonce-somerandomvalue-differnt-foreach-reasone' part from your X-Content-Security-Policy header and IE11 will still allow inline scripts.

IE11都将允许内联脚本，除非您让服务器使用X-Content-Security-Policy: sandbox标头发送响应，在这种情况下，它将禁止所有脚本.放松的唯一方法是发送X-Content-Security-Policy: sandbox allow-scripts，但这将允许所有脚本，包括嵌入式脚本.

IE11 will allow inline scripts no matter what you do, unless you have your server send the response with a X-Content-Security-Policy: sandbox header, in which case it will disallow all scripts. And the only way to relax that is to send X-Content-Security-Policy: sandbox allow-scripts, but that will allow all scripts, including inline scripts.

因此，我认为使用IE11不能告诉它只禁止内联脚本.您只能告诉IE11允许所有脚本，也不允许任何脚本.

So I think that with IE11 there’s no way to tell it to disallow just inline scripts. You can only tell IE11 to either allow all scripts, or to allow none.

还请注意:IE11于2013年发布，早于在任何地方指定nonce属性的时间.我认为在nonce属性中指定的第一个CSP规范草案是在2014年的某个时候.

Also note: IE11 was released in 2013, long before the nonce attribute was specified anywhere. I think the first CSP draft spec that the nonce attribute was specified in was some time in 2014.

http://caniuse.com/#feat=contentsecuritypolicy 详细介绍了浏览器对 CSP1指令:

http://caniuse.com/#feat=contentsecuritypolicy has details on browser support for CSP1 directives:

Internet Explorer 10-11中的部分支持是指浏览器仅通过使用X-Content-Security-Policy标头支持'sandbox'指令.

Partial support in Internet Explorer 10-11 refers to the browser only supporting the 'sandbox' directive by using the X-Content-Security-Policy header.

nonce属性是 CSP2功能.请参见 http://caniuse.com/#feat=contentsecuritypolicy2

添加了对nonce和其他CSP2功能的支持在Edge 15中.因此，Edge 14和更早版本不支持nonce或其他CSP2新功能.但是Edge12 +完全支持所有CSP1 .

Support for nonce and other CSP2 features was added in Edge 15. So Edge 14 and earlier have no support for nonce or other new-in-CSP2 features. But Edge12+ has full support for all of CSP1.

这篇关于内容安全策略在Internet Explorer 11中不起作用的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！