Chrome为什么不尊重我的内容安全政策哈希？ [英] Why doesn't Chrome respect my Content Security Policy hashes?

问题描述

我必须在具有内联样式的页面上添加CSP，并且要避免使用 unsafe-inline 我正在使用哈希。我添加哈希的技术只是将页面加载到Chrome中，查看错误消息并复制所有建议的哈希（例如，从<$ c中提取< suggested hash> $ c>拒绝应用内联样式，因为它违反了以下内容安全策略指令： style-src ...。要么是'unsafe-inline'关键字，要么是一个散列（'<'suggested hash>''）。 ..是启用内联执行所必需的。）。

I'm having to add CSP to a page that has inline styles, and to avoid using unsafe-inline I'm using hashes. My technique for adding the hashes is just to load the page in Chrome, see the error messages and copy all the suggested hashes (eg take <suggested hash> from Refused to apply inline style because it violates the following Content Security Policy directive: "style-src ...". Either the 'unsafe-inline' keyword, a hash ('<suggested hash>'), or... is required to enable inline execution.).

这可以解决Firefox中的问题，但不能解决Chrome中的问题。奇怪的是，Chrome似乎并不尊重它本身生成的哈希值。这会导致一种奇怪的情况，Chrome浏览器会列出包含哈希的策略，说它不符合要求，然后建议我添加之前刚刚打印的策略中的哈希。

This fixed the problem in Firefox, but not in Chrome. Oddly enough, Chrome doesn't appear to respect the hashes that it itself has generated. This leads to a funny situation whereby Chrome lists the policy including the hash, says it doesn't comply, and then recommends that I add a hash that was in the policy it printed just before.

我的政策：

default-src'none'; font-src的自身数据： img-src自己； script-src自己报告样本；风格-src的 '自我' 'sha256- / 3kWSXHts8LrwfemLzY9W0tOv5I4eLIhrf0pT8cU0WI =' 'sha256-47DEQpj8HBSa + / + TIMW 5JCeuQeRkm5NMpJWZG3hSuFU =' 'SHA256-OTeu7NEHDo6qutIWo0F2TmYrDhsKWCzrUgGoxxHGJ8o =' 'SHA256-fviu5RwuBYFcCd5CDanhy6NCLufcwvCAbm061aSqhoQ =' 'SHA256-wS7xf + bhXBr5EM064hQkAW0vX3ks5VoxbGn + KQC / VHK ='sha256- cxL35Ug49Sl1zHMOdz / r0xinQ6BYGgClHdDCk2XPTzE ='; object-src自己； connect-src'self'

这会导致许多错误，例如：

This results in numerous errors such as:

拒绝，因为它违反了以下内容安全策略指令适用内嵌样式：风格的src '自我' 'sha256- / 3kWSXHts8LrwfemLzY9W0tOv5I4eLIhrf0pT8cU0WI =' '+ sha256-47DEQpj8HBSa / TIMW + 5JCeuQeRkm5NMpJWZG3hSuFU ='SHA256，OTeu7NEHDo6qutIWo0F2TmYrDhsKWCzrUgGoxxHGJ8o =''sha256-fviu5RwuBYFcCd5CDanhy6NCLufcwvCAbm061aSqhoQ =''sha256-wS7xf + bhXBr5EM064hQkAW0vX3ks5VoxbGn + KQC / Vhk =''sha256-cxL35Ug49Sl1ZH2XH。 其中Chrome推荐使用'unsafe-inline'关键字，散列（'sha256- / 3kWSXHts8LrwfemLzY9W0tOv5I4eLIhrf0pT8cU0WI ='）或随机数（'nonce -...'）。其中Chrome建议使用我添加了策略中已经存在的哈希。

Refused to apply inline style because it violates the following Content Security Policy directive: "style-src 'self' 'sha256-/3kWSXHts8LrwfemLzY9W0tOv5I4eLIhrf0pT8cU0WI=' 'sha256-47DEQpj8HBSa+/TImW+5JCeuQeRkm5NMpJWZG3hSuFU=' 'sha256-OTeu7NEHDo6qutIWo0F2TmYrDhsKWCzrUgGoxxHGJ8o=' 'sha256-fviu5RwuBYFcCd5CDanhy6NCLufcwvCAbm061aSqhoQ=' 'sha256-wS7xf+bhXBr5EM064hQkAW0vX3ks5VoxbGn+KQC/Vhk=' 'sha256-cxL35Ug49Sl1zHMOdz/r0xinQ6BYGgClHdDCk2XPTzE='". Either the 'unsafe-inline' keyword, a hash ('sha256-/3kWSXHts8LrwfemLzY9W0tOv5I4eLIhrf0pT8cU0WI='), or a nonce ('nonce-...') is required to enable inline execution. wherein Chrome recommends that I add a hash that is already present in the policy.

可能我缺少一些特定于Chrome的陷阱。任何想法可能是什么？

Probably there's some Chrome-specific gotcha I'm missing. Any ideas what it might be?

推荐答案

我假设您在样式属性中拥有内联样式（与内联<$相对） c $ c>< style> 元素）。根据 CSP规范，散列应适用于内联< style> 元素，而不是样式属性。

I assume that you have your inline styles in style attributes (as opposed to inline <style> elements). According to the CSP specification, hashes should apply to inline <style> elements only, not to style attributes.

虽然Chrome显示了一个非常令人困惑的错误消息样式属性，它实际上符合规范（某些其他浏览器，例如Firefox和IE不兼容）。您不能在Chrome中的CSP中使用哈希码来允许内联样式属性。如果绝对需要使用它们，则必须使用'unsafe-inline'。

While Chrome displays a very confusing error message for style attributes, it actually complies with the specification (some other browsers, eg. Firefox and IE don't). You cannot allow inline style attributes using hash codes in CSP in Chrome. If you absolutely need to allow them, you have to use 'unsafe-inline'.

CSP 3.0规范将可能包括使用 ['unsafe-hashed-attributes'] [2] 将哈希码扩展为样式属性的可能性。不过，此功能目前仍处于进行中状态，似乎尚未在Chrome中实现。

CSP 3.0 specification will probably include the possibility to extend the hash codes to style attributes by using ['unsafe-hashed-attributes'][2]. This functionality is still in a "work in progress" state at the moment though and does not seem to be implemented in Chrome yet.

示例：

<?php
header("Content-Security-Policy: style-src 'self' 'sha256-U/AHSCAVB2ZhU2+kPeMhPfZyIE2wH4fhQ0ZtYjq9/JA=' 'sha256-l8V8xXSfpuv7xbN4e0tIS0v77DG2xfSC1rSpNZak/K8='");
header("Content-Type: text/html");
?>

<!DOCTYPE html>
<html>
  <head>
    <!-- Inline style - 'sha256-U/AHSCAVB2ZhU2+kPeMhPfZyIE2wH4fhQ0ZtYjq9/JA=' -->
    <style>.redtext {color: red;}</style>
  </head>

  <body>
    <div class="redtext">This should be red - style from &lt;style&gt; element.</div>
    <!-- Inline style in attribute - 'sha256-l8V8xXSfpuv7xbN4e0tIS0v77DG2xfSC1rSpNZak/K8=' -->
    <div style = "color: green;">This should not be green - style from attribute should be disallowed even though its hash is included in style-src in CSP.</div>
  </body>
</html>

这篇关于Chrome为什么不尊重我的内容安全政策哈希？的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！