当前将Content-Security-Policy与modernizr结合使用的最佳做法是什么? [英] What is the current best-practice for using Content-Security-Policy with modernizr?
问题描述
我们希望使用Content-Security-Policy保护我们的网站,即使设置为允许内联脚本(default-src 'self'; script-src 'self' 'unsafe-inline'),加载modernizr(2.6.2)也会产生4种违反CSP的行为:
We want to secure our site with Content-Security-Policy, and even with the setting of allowing inline scripts (default-src 'self'; script-src 'self' 'unsafe-inline'), loading modernizr (2.6.2) produces 4 CSP violations:
我已升级到开发版本的最新版本(3.6.0),现在它会产生30多个违反CSP的行为:
I upgraded to the latest version (3.6.0), the develop version, and now it produces over 30 CSP violations:
我在modernizr网站上找不到有关CSP的任何正式声明,它仅提及2012年,他们添加了内容安全政策检测程序(
I couldn't find any official statement on CSP on the modernizr site, it merely mentions that in 2012, they added a detect for Content Security Policy (https://modernizr.com/news/modernizr-262). Reading various blogs and Stack Overflow questions, I find most up-to-date best-practice from 2017 to be:
如果modernizr正在注入所有内联的东西,看起来就好像 您的选择是(a)添加所有这些哈希,(b)使用 不安全的内联"(但基本上违背了 CSP…),或(c)不要使用modernizr.
If modernizr is injecting all that inline stuff than it seems like your choices are to either (a) add all those hashes, (b) use 'unsafe-inline' (but which basically defeats the whole purpose of CSP…), or (c) don’t use modernizr.
尽管如此,即使使用unsafe-inline也会出现我得到的错误.
Although, the errors I am getting occur even when using unsafe-inline.
是否有人找到同时使用Content-Security-Policy和modernizr的可行解决方案?
推荐答案
尝试使用宽大的CSP default-src * 'unsafe-eval' 'unsafe-inline' 'unsafe-dynamic' data: filesystem: about: blob: ws: wss:并开始删除关键字,直到开始出现错误为止,使用此方法可以根据需要调整CSP.
Try using this lenient CSP default-src * 'unsafe-eval' 'unsafe-inline' 'unsafe-dynamic' data: filesystem: about: blob: ws: wss: and start removing keywords until you start getting errors, with this method you can adjust your CSP to your needs.
如果有某种CSP生成器为您提供一个网站,并且它只知道您需要哪种CSP以免出错,那么这会很好.
It would be nice if there was some sort of CSP generator where you give it a website and it just knows which CSP you need in order to not keep erroring.
请记住,*表示允许所有域,因此请将其替换为您打算支持的所有域.
Remember that * means allow all domains, so replace this with all domains you intent to support.
这当然可以解决或解决问题,这取决于要解决的问题,您的网站提供什么内容以及如果可以进行XSS攻击,用户将有多脆弱. CSP仅能抵御XSS攻击,而这仅仅是第三方可以插入的JavaScript,例如使用HTTPS,这将使MITM几乎不可能注入任意代码.
This of course just fixes, or solves the issue, and it depends what it's at stake, what content does your website offer, and how vulnerable would users be if an XSS attack could be carried through. CSP protects merely against XSS attacks, this is just JavaScript that could be inserted by a third party, using HTTPS for example, will make it almost impossible for a MITM to inject arbitrary code.
这篇关于当前将Content-Security-Policy与modernizr结合使用的最佳做法是什么?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
