如果允许不安全内联，CSP如何保护我们 [英] What does CSP protect us if allowing unsafe-inline

问题描述

 头文件集Content-Security-Policy：default-src 'self'data :; script-src'self'
'unsafe-inline'; style-src'self''unsafe-inline'; img-src'self'data：
  

看起来它并没有提高实际安全性。真正的问题是内联JS。这可以随时被覆盖。允许不安全的内联不能保护我们免受太多的损害，它保护我们免受什么损害？

感谢您的宝贵时间。

不安全内联选项选项，但您仍然想使用CSP来控制其他方面（例如object-src，防止注入第三方js等）。您正确的看法是 unsafe-inline 并没有提供太多安全性，因为它允许执行不安全的页内脚本和事件处理程序。

Google的 CSP评估人员是确定您的政策是否强大的绝佳工具。

使用不安全内联选项的用例可以在Google的有关内容安全策略的Web开发人员文档：

一个结婚戒指讨论论坛管理员希望确保所有资源只能通过安全渠道加载，但实际上并没有编写太多的代码;重写大块的第三方论坛软件，充满内联脚本和风格的边缘超出了他的能力。以下策略是有效的：

 内容安全策略：default-src https :; script-src https：'unsafe-inline'; style-src https：'unsafe-inline'
  

即使 https：在 default-src 中指定，脚本和样式指令不会自动继承该源。每个指令完全覆盖该特定类型资源的默认值。

Currently I'm enabling CSP with the following config:

Header set Content-Security-Policy: "default-src 'self' data:; script-src 'self'
         'unsafe-inline'; style-src 'self' 'unsafe-inline'; img-src 'self' data:"

Seems it does not do much to improve actual security. The real issue is with inline JS. This can be over-ridden at any time. Allowing unsafe-inline doesn't protect us from much, what does it protect us from?

Thanks for your time.

解决方案

The unsafe-inline option is to be used when moving or rewriting inline code in your current site is not an immediate option but you still want to use CSP to control other aspects (such as object-src, preventing injection of third-party js etc.). You are correct in that unsafe-inline does not offer much security as it allows execution of unsafe in-page scripts and event handlers.

Google's CSP Evaluator is a nifty tool to determine if your policy is strong.

A use case where the unsafe-inline option is used can be found in Google's Web Developer documentation on Content Security Policy:

A wedding-ring discussion forum admin wants to ensure that all resources are only loaded via secure channels, but doesn't really write much code; rewriting large chunks of the third-party forum software that's filled to the brim with inline script and style is beyond his abilities. The following policy would be effective:

Content-Security-Policy: default-src https:; script-src https: 'unsafe-inline'; style-src https: 'unsafe-inline'

Even though https: is specified in default-src, the script and style directives don't automatically inherit that source. Each directive completely overwrites the default for that specific type of resource.

这篇关于如果允许不安全内联，CSP如何保护我们的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！