如何使用CSP(内容安全策略)将WebForms项目中动态创建的脚本列入白名单? [英] How to whitelist dynamically created scripts in a WebForms project using CSP (Content Security Policy)?

问题描述

是否存在使用CSP(内容安全策略)将WebForms项目中动态创建的脚本列入白名单的安全方法?

Is there a secure way of whitelisting dynamically created scripts in a WebForms project using CSP (Content Security Policy)?

使用如下所示的 unsafe-inline 可行，但不建议使用.

Using unsafe-inline like below it works but not recommended.

context.Response.Headers.Append("Content-Security-Policy", string.Format("default-src 'none'; connect-src 'self'; font-src 'self'; img-src 'self' data: https:; style-src 'self'; script-src 'self' 'unsafe-inline'"));

对于其他任何选项，例如 nonce-(随机)，我们会看到以下CSP错误消息:

For any other options such as nonce-(random), we see this CSP error message:

拒绝执行内联脚本，因为它违反了以下要求内容安全策略指令:"script-src'self'".要么要启用，必须使用'unsafe-inline'关键字，哈希或随机数内联执行.

Refused to execute inline script because it violates the following Content Security Policy directive: "script-src 'self'". Either the 'unsafe-inline' keyword, a hash, or a nonce is required to enable inline execution.

推荐答案

动态脚本没有安全内联"之类的东西，请尝试使用动态导入吗?(您可以在代码中重新加载此类脚本).

There is no such thing as 'safe-inline' for dynamic scripts, try to use dynamic imports instead? (you can reload such script in code)..

您通常不必使用'unsafe-inline'，这经常成为问题的两件事是开发中的实时重载和代码中的setTimeout/setInterval，它们可以轻松触发CSP.因此最好在开发中禁用CSP以提高交付速度."unsafe-inline"用于启用动态创建的脚本.

You shouldn't normally have to use 'unsafe-inline', two things that often becomes problematic is the live-reloading in development and setTimeout/setInterval in your code, they can trigger CSP easily. So better to just disable CSP in development to increase your delivery speed. 'unsafe-inline' is to enable execution of dynamically created scripts.

更新

要解决此问题，您需要使用标准(也许使用异步/延迟)加载自定义脚本< script src ="/myscript.js"></script> 和'不安全内联"的要求消失了.但是，您的技术选择("Web表单")可能会限制您的选择.无论如何要进行测试，请使用CDN URL或单独的服务器(内部或外部)来交付脚本.我已经使用nodejs在本地进行了测试，它可以按预期工作.您遇到的问题"很可能是因为您编写了这样的代码(或将代码放置在其中):

To solve this you need to load a custom script using the standard (perhaps with async/defer) <script src="/myscript.js"></script> and 'unsafe-inline' requirement goes away. However, your technology choice ("webforms") might limit your options to do that. To test anyway, use a cdn url or a separate server (internal or external) to deliver your script. I have tested this locally with nodejs and it works as expected. The "problem" you have is most likely because that you write code like this (or code is put there):

< script>函数unsafeInline(){...}</script>

Modernizr现在是v3.6.0，您使用的是v2.8.3，要使错误消失，您可以将其添加到标题中:

Modernizr is now v3.6.0 you use v2.8.3 and to make your error go away you can add this to your header:

<header>
  <title>CSP Test</title>
  <meta http-equiv="Content-Security-Policy" content="default-src 'self'; script-src 'self' https://cdnjs.cloudflare.com/;">
  <script src="https://cdnjs.cloudflare.com/ajax/libs/modernizr/2.8.3/modernizr.min.js"></script>
</header>

来自相关这样的问题:

如果modernizr注入了所有内联的东西，而您似乎选择了(a)添加所有这些散列，(b)使用不安全的内联"(但基本上违背了CSP的全部目的……)，或(c)不要使用modernizr.

If modernizr is injecting all that inline stuff than it seems like your choices are to either (a) add all those hashes, (b) use 'unsafe-inline' (but which basically defeats the whole purpose of CSP…), or (c) don’t use modernizr.

该问题的答案是:从modernizr中删除内联内容".您始终可以使用外部库中的 document.body.style ="background:#000000;"; 来设置样式(或其他)属性.我在导入的外部脚本中尝试了所有常规"代码活动，但它不会触发CSP.通常，我还指将对象(功能)分配给窗口对象并执行它们.

The answer to that question is: remove "inline stuff" from modernizr. You can always use document.body.style = "background: #000000;"; from an external library to set style (or other) attributes. I tried all "normal" code activities in an imported external script and it doesn't trigger CSP. By normal I also mean assign objects (functions) to the window object and executing them.

寻找* .createElement("script")或类似内容，因为这肯定会触发CSP.

这篇关于如何使用CSP(内容安全策略)将WebForms项目中动态创建的脚本列入白名单?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！