拒绝加载图片,因为它违反了内容安全策略-Cordova [英] Refused to load the image because it violates content-securtiy-policy -- Cordova
问题描述
我正在尝试按照代码推送文档部署我的应用程序.然后,我将以下内容安全性添加到我的应用程序index.html
I am trying to deploy my app following the code-push doc. I then added the following content-security to my app index.html
<meta http-equiv="Content-Security-Policy" content="default-src https://codepush.azurewebsites.net 'self' data: gap: https://ssl.gstatic.com 'unsafe-eval'; style-src 'self' 'unsafe-inline'; media-src *">
我立即添加了,我的应用程序不再运行.当我运行科尔多瓦浏览器时.我在控制台中看到许多错误.事实证明,我从github引用的样式文件,从mysite.com/...引用的图像以及其他外部脚本goopleapis是我下面的安全策略
Immediately i added, my app does not run again. When i run my cordova browser. I saw many errors in the console. It turns out my styles files referenced from github, my images referenced from mysite.com/... and my other external scripts, goopleapis are my security policy to below
<meta http-equiv="Content-Security-Policy" content="default-src * 'self' data: gap: https://ssl.gstatic.com 'unsafe-eval'; style-src 'self' 'unsafe-inline'; media-src *">
现在可以正常工作了.我的问题是,安全后果是什么?我应该这样吗?我该怎么做呢?任何帮助或意见,将不胜感激.我担心离开*可能会阻止打算停止的攻击.
It now works fine. My question is, What is the security ramification ? Should i leave it that way? How better should i do this ? Any help or opinion would be appreciated. I am worried leaving * may allow the attacks intended to stopped.
推荐答案
您是对的,像这样保留CSP可能会使攻击者更容易进行操作.使用CSP的主要思想是按照这里.
You're right, leaving your CSP like this might make things easier for an attacker. The main idea behind using a CSP is url whitelisting as described here.
通过使用*
通配符将所有内容列入白名单,可以使攻击者一旦能够将代码注入到您的应用程序中,就可以从任何地方加载代码(并执行).查看有关此内容的链接文章,它比我在这里写的要好得多;)
By whitelisting everything with the *
wildcard you allow an attacker to load code (and execute) from everywhere once he is able to inject code into your application. Check out the linked article on this, it's a lot better than what I'm writing here ;)
那么正确的方法是什么?
So what's the right way to do this?
- Find out what domains you want to whitelist and what kind of resources this domain provides.
- Get rid of the wildcard and whitelist exactly those domains for exactly those resources you need. Let's, for example, take a look at your stylesheets from GitHub. You will have to add GitHub as a trustworthy domain for styles somewhat like this:
style-src 'self' https://github.com 'unsafe-inline';
注意:default-src
策略要小心,因为它会覆盖其他策略.而将图像列入白名单时,您可能必须添加data:
关键字,如下所示:img-src 'self' http://somedomain.com data:;
Note: Be careful with the default-src
policy as it overrides the other policies. And when it comes to whitelisting images, you might have to add the data:
keyword like so: img-src 'self' http://somedomain.com data:;
Mozilla的文档如果您愿意正在寻找所有政策和关键字的概述...
Mozilla's documentation is quite good if you're looking for an overview of all the policies and keywords...
这篇关于拒绝加载图片,因为它违反了内容安全策略-Cordova的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!