拒绝加载图片,因为它违反了内容安全策略-Cordova [英] Refused to load the image because it violates content-securtiy-policy -- Cordova

查看:171
本文介绍了拒绝加载图片,因为它违反了内容安全策略-Cordova的处理方法,对大家解决问题具有一定的参考价值,需要的朋友们下面随着小编来一起学习吧!

问题描述

我正在尝试按照代码推送文档部署我的应用程序.然后,我将以下内容安全性添加到我的应用程序index.html

I am trying to deploy my app following the code-push doc. I then added the following content-security to my app index.html

<meta http-equiv="Content-Security-Policy" content="default-src https://codepush.azurewebsites.net 'self' data: gap: https://ssl.gstatic.com 'unsafe-eval'; style-src 'self' 'unsafe-inline'; media-src *">

我立即添加了,我的应用程序不再运行.当我运行科尔多瓦浏览器时.我在控制台中看到许多错误.事实证明,我从github引用的样式文件,从mysite.com/...引用的图像以及其他外部脚本goopleapis是我下面的安全策略

Immediately i added, my app does not run again. When i run my cordova browser. I saw many errors in the console. It turns out my styles files referenced from github, my images referenced from mysite.com/... and my other external scripts, goopleapis are my security policy to below

<meta http-equiv="Content-Security-Policy" content="default-src * 'self' data: gap: https://ssl.gstatic.com 'unsafe-eval'; style-src 'self' 'unsafe-inline'; media-src *">

现在可以正常工作了.我的问题是,安全后果是什么?我应该这样吗?我该怎么做呢?任何帮助或意见,将不胜感激.我担心离开*可能会阻止打算停止的攻击.

It now works fine. My question is, What is the security ramification ? Should i leave it that way? How better should i do this ? Any help or opinion would be appreciated. I am worried leaving * may allow the attacks intended to stopped.

推荐答案

您是对的,像这样保留CSP可能会使攻击者更容易进行操作.使用CSP的主要思想是按照这里.

You're right, leaving your CSP like this might make things easier for an attacker. The main idea behind using a CSP is url whitelisting as described here.

通过使用*通配符将所有内容列入白名单,可以使攻击者一旦能够将代码注入到您的应用程序中,就可以从任何地方加载代码(并执行).查看有关此内容的链接文章,它比我在这里写的要好得多;)

By whitelisting everything with the * wildcard you allow an attacker to load code (and execute) from everywhere once he is able to inject code into your application. Check out the linked article on this, it's a lot better than what I'm writing here ;)

那么正确的方法是什么?

So what's the right way to do this?

  1. 找出要列入白名单的域以及哪种
  1. Find out what domains you want to whitelist and what kind of resources this domain provides.
  2. Get rid of the wildcard and whitelist exactly those domains for exactly those resources you need. Let's, for example, take a look at your stylesheets from GitHub. You will have to add GitHub as a trustworthy domain for styles somewhat like this: style-src 'self' https://github.com 'unsafe-inline';

注意:default-src策略要小心,因为它会覆盖其他策略.而将图像列入白名单时,您可能必须添加data:关键字,如下所示:img-src 'self' http://somedomain.com data:;

Note: Be careful with the default-src policy as it overrides the other policies. And when it comes to whitelisting images, you might have to add the data: keyword like so: img-src 'self' http://somedomain.com data:;

Mozilla的文档如果您愿意正在寻找所有政策和关键字的概述...

Mozilla's documentation is quite good if you're looking for an overview of all the policies and keywords...

这篇关于拒绝加载图片,因为它违反了内容安全策略-Cordova的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!

查看全文
相关文章
登录 关闭
扫码关注1秒登录
发送“验证码”获取 | 15天全站免登陆