ASP.NET WebForms中的内容安全策略 [英] Content-Security-Policy in ASP.NET WebForms

问题描述

我正在寻找一种很好的方法来为我的ASP.NET WebForms应用程序实现相对较强的Content-Security-Policy标头。我在文件而不是内联中存储了尽可能多的JavaScript，但是默认情况下，WebForms会注入很多内联脚本，以实现诸如表单提交和基本AJAX调用之类的简单操作。

I'm looking for a good way to implement a relatively strong Content-Security-Policy header for my ASP.NET WebForms application. I'm storing as much JavaScript as possible in files instead of inline, but by default, WebForms injects a lot of inline script for things as simple as form submission and basic AJAX calls.

MVC有一些简单的方法来实现随机数，尤其是在第三方库（如NWebsec）的帮助下，但是我似乎找不到任何用WebForms实现它们的方法。 。如果有一种方法可以预测和检索每个.NET注入的脚本标签的哈希值，那么使用哈希就不会有问题。

MVC has some simple ways to implement nonces, especially with the help of third party libraries like NWebsec, but I can't seem to find any methods of implementing them with WebForms. I wouldn't even have a problem using hashes if there were a way to predict and retrieve the hash for each .NET injected script tag.

我讨厌允许不安全内联值。需要关闭如此强大的安全功能感觉不对。有没有实现它在的WebForms？

I hate allowing the 'unsafe-inline' value. It feels wrong needing to turn off such a powerful security feature. Is there a reasonable way to implement it in WebForms?

推荐答案

我有同样的问题，并伤心地说，这是最好的我们完成了。我们基本上确定了我们使用和不使用的东西。我们甚至不得不对其中一些进行不安全的评估，因为我们使用的第三方控件如果没有它就无法工作。我们至少得到的是避免调用外部URL。

I had the same problem and sad to say this was the best we have done. We basically identified what we use and don't use. We even had to put unsafe eval in some of them because we were using third party controls that couldn't work without it. What we get at least is avoiding calls to external url.

default-src 'self'; 
child-src 'self' 'unsafe-inline' 'unsafe-eval'; 
object-src 'none'; 
script-src 'self' 'unsafe-inline' 'unsafe-eval' https://www.google-analytics.com; 
img-src 'self' https://www.google-analytics.com; 
style-src 'self' 'unsafe-inline'

这篇关于ASP.NET WebForms中的内容安全策略的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！