缺少内容安全策略标头 - chrome和firefox问题 [英] Missing content security policy header - issue with chrome and firefox

问题描述

我必须修复Classic ASP应用程序的Missing Content Security Policy Header问题。我们在Web.config中添加了以下内容



< system.webserver>

< httpprotocol>

< customheaders>

< add name =Content-Security-Policyvalue =default-src/>







在应用程序运行的IE中进行更改后，但在Mozilla和Chrome中，应用程序无法正常呈现（css未正确加载）。



如果我也会在特定的asp页面中添加相同的内容（Response.AddHeaderContent-Security-Policy，default-src），同样的问题是发生。



请指教。



我的尝试： < br $>

I have to fix Missing Content Security Policy Header issue for a Classic ASP application. We have added the below in Web.config

<system.webserver>
<httpprotocol>
<customheaders>
<add name="Content-Security-Policy" value="default-src" />



Post change in IE the application is working, but in Mozilla and Chrome the application is not rendering properly (the css are not loading properly).

If I will add the same in particular asp page too(Response.AddHeader "Content-Security-Policy","default-src"), the same issue is happening.

Please advise.

What I have tried:

I have to fix Missing Content Security Policy Header issue for a Classic ASP application. We have added the below in Web.config 

<system.webServer>
    <httpProtocol>
        <customHeaders>
            <add name="Content-Security-Policy" value="default-src" />
        </customHeaders>
    </httpProtocol>
</system.webServer>
Post change in IE the application is working, but in Mozilla and Chrome the application is not rendering properly (the css are not loading properly). 

If I will add the same in particular asp page too(Response.AddHeader "Content-Security-Policy","default-src"), the same issue is happening.

Please advise.

推荐答案

它在IE中正常工作，因为IE不支持CSP标头，因此它只是忽略了策略并加载了所有内容。



Firefox和Chrome中的行为更准确地被描述为正常工作，因为它们正在做的正是你告诉他们：阻止一切。



你需要为你的网站生成一个有效的政策标题。

CSP备忘单 [ ^ ]

生成您的CSP [ ^ ]



如果你不想阅读文档，Mozilla有一个Firefox扩展，可以帮助你入门：

实验室（内容安全策略/ CSP工具包）:: Firefox附加组件 [ ^ ]

It's "working" in IE because IE doesn't support CSP headers, so it just ignores the policy and loads everything.

The behaviour in Firefox and Chrome would more correctly be described as "working", because they're doing exactly what you told them to: block everything.

You need to generate a valid policy header for your site.
CSP Cheat Sheet[^]
Generate your CSP[^]

If you don't want to read through the documentation, Mozilla have an extension for Firefox which should get you started:
Laboratory (Content Security Policy / CSP Toolkit) :: Add-ons for Firefox[^]

下面的标签是现在为我工作

The below tag is working now for me

<add name="Content-Security-Policy" value= "script-src 'unsafe-inline' 'unsafe-eval' https://example.com; style-src 'self' 'unsafe-inline'" />

现在Mozilla或Chrome中没有错误。由于CSS和JS在asp页面中正确加载，页面呈现正确。

Now there is no error in Mozilla or Chrome. The page is rendering properly as the CSS and JS is loading properly in asp pages.

这篇关于缺少内容安全策略标头 - chrome和firefox问题的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！