ASP.NET WebForms 中的内容安全策略 [英] Content-Security-Policy in ASP.NET WebForms

问题描述

我正在寻找一种好方法来为我的 ASP.NET WebForms 应用程序实现相对强大的 Content-Security-Policy 标头.我将尽可能多的 JavaScript 存储在文件中而不是内联中，但默认情况下，WebForms 注入了大量内联脚本 — 用于诸如表单提交和基本 AJAX 调用之类的简单事情.

I'm looking for a good way to implement a relatively strong Content-Security-Policy header for my ASP.NET WebForms application. I'm storing as much JavaScript as possible in files instead of inline, but by default, WebForms injects a lot of inline scripts—for things as simple as form submission and basic AJAX calls.

MVC 有一些简单的方法来实现 nonce，尤其是在像 NWebsec 这样的第三方库的帮助下，但我似乎找不到任何用 WebForms 实现它们的方法.如果有一种方法可以预测和检索每个 .NET 注入的脚本标记的哈希值，我什至不会在使用哈希值时遇到问题.

MVC has some simple ways to implement nonces, especially with the help of third party libraries like NWebsec, but I can't seem to find any methods of implementing them with WebForms. I wouldn't even have a problem using hashes if there were a way to predict and retrieve the hash for each .NET injected script tag.

我讨厌允许 'unsafe-inline' 值.需要关闭如此强大的安全功能感觉是错误的.有没有合理的方法在 WebForms 中实现它?

I hate allowing the 'unsafe-inline' value. It feels wrong needing to turn off such a powerful security feature. Is there a reasonable way to implement it in WebForms?

推荐答案

我遇到了同样的问题.我很遗憾地说这是我们做过的最好的事情.我们基本上确定了我们使用和不使用的内容.我们甚至不得不在一些指令中加入 unsafe-eval，因为我们使用的第三方控件没有它就无法工作.至少我们避免调用外部网址.

I had the same problem. I'm sad to say this was the best we have done. We basically identified what we use and don't use. We even had to put unsafe-eval in some instructions because we were using third party controls that couldn't work without it. At least we avoid calls to external urls.

default-src 'self'; 
child-src 'self' 'unsafe-inline' 'unsafe-eval'; 
object-src 'none'; 
script-src 'self' 'unsafe-inline' 'unsafe-eval' https://www.google-analytics.com; 
img-src 'self' https://www.google-analytics.com; 
style-src 'self' 'unsafe-inline'

这篇关于ASP.NET WebForms 中的内容安全策略的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！