将nonce属性添加到自动生成的WebForms脚本中 [英] Add nonce attribute to auto-generated WebForms script
问题描述
在我的网站上实现CSP标头时,我遇到了自动生成的回发JavaScript(Webforms添加到页面中)的问题:
While implementing the CSP header on my website, I am facing problems with the automatically generated postback JavaScript that webforms adds to the page:
<script type="text/javascript">
//<![CDATA[
var theForm = document.forms['form1'];
if (!theForm) {
theForm = document.form1;
}
function __doPostBack(eventTarget, eventArgument) {
if (!theForm.onsubmit || (theForm.onsubmit() != false)) {
theForm.__EVENTTARGET.value = eventTarget;
theForm.__EVENTARGUMENT.value = eventArgument;
theForm.submit();
}
}
//]]>
</script>
为了支持内联一些其他脚本标签,我已经成功添加了 nonce 属性,但是我找不到任何方法可以修改这段生成的代码来执行相同的操作。我已经浏览过 ClientScript.GetPostBackEventReference ,但这似乎可以控制其中的JavaScript,与< script> 标签本身。
To support some other script tags inline I have successfully added the nonce attribute, however I can find no way to modify this piece of generated code to do the same thing. I have explored ClientScript.GetPostBackEventReference but this appears to control the JavaScript within, nothing about the rendering of the <script> tag itself.
解决方案不一定需要添加 nonce 属性,任何符合条件的方法都可以。例如,如果有一个ASP.NET设置可以配置为将此脚本加载为文件(我可以将其列入白名单)就可以了。
The solution does not necessarily need to involve adding the nonce attribute, anything that complies will do. For example, if there is an ASP.NET setting which can be configured to load this script as a file (which I can whitelist) that would be fine.
推荐答案
祝您好运并使用Webforms Scheme在ASP.NET上实现良好的CSP-WebForms控件将在此登录按钮上添加大量内联脚本:
Good luck implementing a good CSP on ASP.NET with Webforms Scheme - WebForms controls will add a whole bunch of inline scripts like on this login button:
<a id="btnLogin" class="btn btn-info pull-right" href="javascript:__doPostBack('btnLogin','')">Login</a>
如果您不使用很多< asp:... 控件,您可能没事。
If you're not using many <asp:... controls, you might be alright.
要允许您运行上述脚本,可以在<$ c $之后将其添加到CSP中。 c> script-src :
To allow the above script you want to run, you can add this to your CSP after script-src:
sha256-uVkxb0ccirYwSBxwdr2 / 4qtJEH1eBw7MslAgyLdAVVY =
它会让您的浏览器知道它应该执行任何具有sha256哈希的脚本。
It lets your browser know that it should execute any script that has that sha256 hash.
我已经完成的哈希如果您使用的换行符与我正在使用的换行符不同(我认为这是Windows风格),则可能无法正常工作。
The hash I've given you may not work if you're using different newlines to what I'm using (which I believe is windows style).
您还应注意没有页面将默认表单ID更改为 form1以外的其他页面。
You should also be careful that if you don't have a page which changes the default form id to something other than "form1".
这篇关于将nonce属性添加到自动生成的WebForms脚本中的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
