如何在Cordova中正确定义Content-Security-Policy? [英] How to define Content-Security-Policy in Cordova properly?
问题描述
我已经在为我的Cordova应用程序定义我的内容安全策略上苦苦挣扎了几天.
I am struggling for some days already with defining my Content-Security-Policy for my Cordova App.
我的第一个问题是:我是否必须在Cordova中添加CSP?似乎Cordova默认情况下为CSP添加了元标记,并添加了白名单插件,要求为每个页面定义CSP.
My first question is: Do I have to add CSP in Cordova? It seems like Cordova adds meta tag for CSP by default and add Whitelist plugin, requiring to define your CSP for every page.
如果我必须定义:
如何为我的需要正确定义指令:
How to properly define directives for my need:
我正在添加一些js文件,css文件,并具有内联js代码以及样式.我已经为我的页面添加了此CSP.而且它抱怨 style-src .
I am adding some js files, css files, and have inline js code, as well as styles. I have added this CSP for my page. And it is complaining about style-src .
<meta http-equiv="Content-Security-Policy" content="default-src *; script-src 'self' 'nonce-Random'; connect-src 'self'; img-src *; style-src *; media-src *">
我想知道如何为script-src,style-src,media-src,img-src添加CSP.我已经阅读了W3C草案.但是不知道.
I want to know how to properly add CSP for script-src, style-src, media-src, img-src. I have read the W3C Draft. But could not figure out.
我也需要在科尔多瓦方面做些什么吗?
And do I have to do something in Cordova side too?
最佳,
推荐答案
简短回答:不,您不必在Cordova中添加CSP. 事实证明,我的特定问题是在config.xml中的访问源属性中似乎缺乏对子域通配符的支持.改用subdomains ="true"(见下文).
Short Answer: No, You do not have to add CSP in Cordova. My particular issue turned out to be apparant lack of support for subdomain wildcards in access origin attributes in config.xml. Use subdomains="true" instead (see below).
更新:您应该将CSP标签添加到html中...请参阅底部的说明...
Update: You should add CSP tags to your html... see note at the bottom...
详细信息: 我也一直在困扰这个问题,当我查看白名单插件的源代码时,终于找到了解决方案
Details: I've been messing with this issue as well and finally found the solution when I looked at the source code for the whitelist plugin itself.
我注意到该插件检查config.xml文件中是否包含
I noticed that the plugin checked the config.xml file for a line containing
<access origin="*" />
,并在这种情况下添加了一个白名单条目(java代码):
and in that case added a whitelist entry thus ( java code):
if ("*".equals(origin)) {
allowedRequests.addWhiteListEntry("http://*/*", false);
allowedRequests.addWhiteListEntry("https://*/*", false);
} else {
allowedRequests.addWhiteListEntry(origin, (subdomains != null) && (subdomains.compareToIgnoreCase("true") == 0));
}
表示它根据在config.xml中找到的内容创建CSP规则.
indicating that it creates CSP rules based on what it finds in the config.xml.
我将<access origin="" />添加到我的config.xml中,一切开始正常工作!
I added the <access origin="" /> to my config.xml and things started working!
然后我在上面的Java代码段中注意到,如果源不是"*",则插件的源代码将简单地复制给定的源,并且还会注意"subdomains"属性.
I then noticed in the above java snippet that in cases where the origin was something other than "*" the source code for the plugin would simply copy the given origin AND that it would also take heed of the "subdomains" attribute.
我在config.xml中查看了以前可以使用的访问定义:
I looked at my previously working access definitions in config.xml:
<access origin="http://my.domain.com/*" />
我更改了所有这些属性以利用subdomain属性,而不是通配符:
<access origin="http://my.domain.com" subdomains="true" />
然后我从之前删除了行<access origin="*" />,一切继续进行.
我还回到了我的html文件中,并删除了我一直在尝试的<meta http-equiv="Content-Security-Policy" ... >标签,并且一切继续进行. 不需要它们 ...该插件可以完成所有操作.
我应该注意,HTML中的上述CSP标记确实起到了一些作用,但是我无法使它们适用于XMLHttpl请求.
我的平台是Android.
Cordova -v = 5.0.0(我已经从v 3.x.x升级了)
I also went back into my html file and removed the <meta http-equiv="Content-Security-Policy" ... > tags I had been experimenting with and things continued to work.. ie. they aren't needed... the plugin does it all.
I should note that the aforementioned CSP tags in my HTML did have some effects but I could not get them to work for my XMLHttpl requests.
My platform is Android.
Cordova -v = 5.0.0 ( I had upgraded from a v 3.x.x )
您可能想浏览一下插件的其余部分,因为它可能已更改,或者提示了如何处理其他问题,例如config.xml中的<allow-navigation href="*" />会导致上述CSP(即"http://*/*"和"https://*/*")以及"data:*".
You may want to look through the rest of the plugin source as it may have changed or hints on how to deal with other issues e.g. <allow-navigation href="*" /> in config.xml that results in CSPs as above ( i.e. "http://*/*" and "https://*/*" ) as well as "data:*".
刚刚注意到:
运行cordova应用时,我从白名单插件收到警告:
I get a warning from the whitelist plugin when the cordova app is run:
没有找到Content-Security-Policy元标记.使用时请加一个 cordova-plugin-whitelist插件
No Content-Security-Policy meta tag found. Please add one when using the cordova-plugin-whitelist plugin
我的意思是,该插件将打开所有内容,并且您应该在html文件中使用CSP作为负责任的安全编码器-可以! ;)
Which I take to mean that the plugin opens everything up and you should be using CSP in your html files to be a responsible and secure coder - will do! ;)
我注意到,在您问题的第二部分中,您似乎正在尝试将CSP完全打开...因此,到目前为止,我的回答足以使事情顺利进行.至于CSP标签的正确应用,我和您在同一条船上……并将寻找在线资源来弄清楚它.我想Google和Apple将来可能会要求使用适当的CSP标签.
I note that in the second part of your question you seem to be trying to set CSP wide open... so my answer thus far should suffice to get things going. As far as the proper application of CSP tags I'm in the same boat as you... and will be looking at online resources to figure it out. I imagine Google and Apple may require proper CSP tags at some point in the future.
这篇关于如何在Cordova中正确定义Content-Security-Policy?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
