为什么禁止内联脚本（内容安全策略）？ [英] Why is inline script forbidden (Content Security Policy)?

问题描述

我想知道规范中的报价：
（ https://dvcs.w3.org/hg/content-security-policy/raw-file/tip/csp-specification.dev.html ）

i'am wondering about the quote from the specification: (https://dvcs.w3.org/hg/content-security-policy/raw-file/tip/csp-specification.dev.html)

要获得最大的好处，作者将需要将所有内联脚本和样式脱机，例如移至外部脚本，因为用户代理无法确定攻击者是否注入了内联脚本。

To reap the greatest benefit, authors will need to move all inline script and style out-of-line, for example into external scripts, because the user agent cannot determine whether an inline script was injected by an attacker.

排除所有内联脚本是一项耗时的任务。

Sourcing out all inline-script is a time heavy task.

我的问题是从安全角度考虑的。通过将所有内联脚本（例如JavaScript）提取到外部资源，您真的获得任何安全益处吗？

My question is from the security point of view. Do you really get any security benefit by extracting all inline-script (e.g. JavaScript) to external sources?

谢谢

推荐答案

关键部分是

用户代理无法确定是否插入了内联脚本

the user agent cannot determine whether an inline script was injected by an attacker.

为了提供保护，CSP必须防止攻击者控制的子字符串导致代码运行。由于用户代理不知道HTML的哪些部分是由不受信任的输入指定的，并且哪些部分是由受信任的开发人员编写的模板提供的，因此它必须假设最坏的情况-攻击者可以控制任何属性或元素。

To provide protection, CSP has to prevent substrings controlled by an attacker from causing code to run. Since the user agent does not know which parts of the HTML were specified by untrusted inputs, and which come from a template written by a trusted developer, it has to assume the worst -- that any attribute or element could be controlled by an attacker.

通过将所有内联脚本（例如JavaScript）提取到外部源中，您真的能从安全方面获得好处吗？

Do you really get any security benefit by extracting all inline-script (e.g. JavaScript) to external sources?

否。提取要运行的脚本并不能提供任何安全性好处，它只能让您在仍使用CSP的情况下运行所需的脚本。

No. Extracting the scripts that you want to run does not provide any security benefit, it merely lets you run the scripts that you want while still using CSP.

安全性好处来自能够调用浏览器的HTML解析器，而不会无意间执行滥用域特权或窃取机密的脚本。

The security benefit comes from being able to invoke the browser's HTML parser without unintentionally executing scripts that abuse domain privileges or steal secrets.

这篇关于为什么禁止内联脚本（内容安全策略）？的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！