内容安全策略随机数不适用于事件处理程序属性 [英] Content Security Policy nonce does not apply to event handler attributes

问题描述

我正在将CSP标头添加到要采用严格策略之前还有很长的路要走的网站.有很多内联脚本，因此我使用nonce-来允许特定的内联脚本.我发现它不适用于带有src的脚本标记的onload属性.这是一个示例:

I am in the process of adding CSP headers to a site that has a long way to go before it can adopt a strict policy. There are quite a few inline scripts, so I am using nonce- to allow specific inline scripts. I have found that it doesn't work on the onload attribute of a script tag with src. Here's an example:

// header:
Content-Security-Policy: script-src self https: 'nonce-d3adbe3fed'

<script async defer src="https://cdnjs.cloudflare.com/ajax/libs/underscore.js/1.9.1/underscore-min.js" nonce="d3adbe3fed" onload="console.log('onload', _.VERSION)"></script>

在 https://brave-pasteur-0d438b.netlify.com/上的完整工作演示a>

Full working demo at https://brave-pasteur-0d438b.netlify.com/

Chrome出现以下错误:

Chrome gives the following error:

Refused to execute inline event handler because it violates the following Content Security Policy directive: "script-src self https: 'nonce-d3adbe3fed'". Either the 'unsafe-inline' keyword, a hash ('sha256-...'), or a nonce ('nonce-...') is required to enable inline execution.

该消息表明应该可以使用随机数启用内联事件处理程序，但是据我所知，随机数仅适用于内联脚本.

The message suggests that it should be possible to enable inline event handlers with a nonce, but as far I as I can tell, nonce is only intended to work on inline scripts.

这只是一个演示，但用例是一个异步/延迟跟踪脚本，该脚本加载了跟踪库，然后在onload处理程序中对已加载的库进行了跟踪调用.

This is just a demo, but the use case is an async/deferred tracking script which loads the tracking library, then in the onload handler makes a tracking call to the loaded library.

是否可以在onload或其他事件处理程序属性上使用随机数，还是需要更改实现?不能选择使用script-src 'unsafe-inline'或script-src-attr 'unsafe-inline'，因为这些是我专门尝试解决的漏洞.将onload处理程序的内容放在script标记之后的单独脚本中也不是一种选择，因为该脚本是async deferred，并且需要保持这种方式.

Is it possible to use a nonce on an onload or other event handler attribute, or will I need to change my implementation? Using script-src 'unsafe-inline' or script-src-attr 'unsafe-inline' is not an option, as those are the vulnerabilities I am specifically trying to address. And putting the contents of the onload handler into a separate script following the script tag is also not an option because the script is async deferred, and needs to stay that way.

推荐答案

如果可以在内联处理程序上使用nonce，我将接受一个演示它的答案.不幸的是，在撰写本文时，我认为还没有.

If there is a way to use nonce on an inline handler, I will accept an answer that demonstrates it. Unfortunately, at the time of writing, I don't think there is.

作为一种解决方法，以下脚本在满足指定的CSP策略的同时，其行为和计时与具有异步/延迟和onload处理程序的脚本相同:

As a workaround, the following script exhibits the same behavior and timing as an script with async/defer and an onload handler, while satisfying the specified CSP policy:

<script nonce="d3adbe3fed">
    let s = document.createElement('script');
    s.src = 'https://cdnjs.cloudflare.com/ajax/libs/underscore.js/1.9.1/underscore-min.js';
    s.onload = () => console.log(_.VERSION);
    document.documentElement.appendChild(s);
</script>

当然，长期的解决方案是完全消除内联脚本，但短期内这并不总是可行的，并且快速实施更宽松的策略比放开它并没有CSP更好.完全没有.

Of course, the long term solution is to eliminate inline scripts completely, but in the short term that isn't always feasible, and it is better to implement a more lax policy quickly, than to put it off and have no CSP at all.

这篇关于内容安全策略随机数不适用于事件处理程序属性的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！