如何让脚本使用setAttribute'style'而不破坏CSP [英] How to let script to use setAttribute 'style' without breaking CSP

问题描述

我正在努力保持我的CSP政策尽可能严格。我需要在捆绑包中包含3d派对组件。但是它使用 element.setAttribute（’style’...）方法破坏了CSP。有没有办法允许该特定脚本以这种方式内联样式？

Im am trying to keep my CSP policy as strict as possible. I need to include 3d party component in my bundle. But it uses element.setAttribute('style'...) method which breaks CSP. Is there a way to allow this particular script to inline styles in that manner?

推荐答案

2018-10-06更新

此处的原始答案目前仍是正确的 ，因为CSP 目前已在浏览器中实现至少，如果不指定 unsafe-inline 并指定 unsafe-inline 基本上否定了CSP的全部用途。

The original answer here is still correct for now — because with CSP as currently implemented in browsers at least, there’s still no way to have dynamically injected styles at all without specifying unsafe-inline, and specifying unsafe-inline basically negates the whole purpose of CSP.

，CSP3添加了新的不安全哈希表达式，使您能够允许特定的内联脚本/样式。参见 https://w3c.github.io/webappsec-csp/#unsafe -哈希使用，请参见 。不过，它尚未在任何浏览器中发布。因此，暂时来说，下面的答案仍然完全适用。

However, CSP3 adds a new unsafe-hashes expression for enabling you to allow particular inline scripts/styles. See https://w3c.github.io/webappsec-csp/#unsafe-hashes-usage, and see Explainer: ‘unsafe-hashes’, ‘unsafe-inline-attributes’ and CSP directive versioning. It hasn’t shipped in any browsers yet, though. So for the time being, the answer below still fully applies.

允许的唯一方法style 属性用于使用 unsafe-inline 。 style 属性是来自其他来源还是来自 self 都无关紧要，它们仍在继续除非您有 unsafe-inline 。

The only way to allow style attributes is to use unsafe-inline. It doesn’t matter whether the style attributes are coming from a different origin or from self—they’re still going to be considered a CSP violation unless you have unsafe-inline.

具体来说，这是一种赢了的解决方案't 用于样式属性的工作是使用随机数或哈希-因为在CSP中，随机数和哈希的用法仅针对样式定义和脚本 元素；该规范具有 样式元素的哈希用法 部分明确省略了定义样式 attributes 的哈希使用。

Specifically, one solution that won’t work for style attributes is to use a nonce or hash—because in CSP, nonce and hash usage are only defined for style and script elements; the spec has a Hash usage for style elements section that explicitly omits defining hash use for style attributes.

因此，即使您在策略中为以下内容指定了正确的哈希 style 属性的内容，您的浏览器仍会将其视为违规。

So even if in your policy you specify the correct hash for the contents of a style attribute, your browser will still handle it as a violation.

因为 unsafe-inline 是允许 style 的唯一方法，但是使用 unsafe-inline 几乎完全违背了使用任何CSP策略的目的-从CSP角度来看，唯一安全的解决方案是永远不要使用 style 属性-既不直接来自您自己的标记/代码，也不来自任何第三方代码。

The bottom line is that since unsafe-inline is the only way to allow style attributes—but using unsafe-inline pretty much completely defeats the purpose of having any CSP policy to begin with—the only safe solution from a CSP perspective is just to never use style attributes—neither directly from your own markup/code nor by way of any third-party code.

这篇关于如何让脚本使用setAttribute'style'而不破坏CSP的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！