如何让脚本使用setAttribute'style'而不破坏CSP [英] How to let script to use setAttribute 'style' without breaking CSP
问题描述
我正在努力保持我的CSP政策尽可能严格。我需要在捆绑包中包含3d派对组件。但是它使用 element.setAttribute(’style’...)
方法破坏了CSP。有没有办法允许该特定脚本以这种方式内联样式?
Im am trying to keep my CSP policy as strict as possible. I need to include 3d party component in my bundle. But it uses element.setAttribute('style'...)
method which breaks CSP. Is there a way to allow this particular script to inline styles in that manner?
推荐答案
2018-10-06更新
此处的原始答案目前仍是正确的 ,因为CSP 目前已在浏览器中实现至少,如果不指定 unsafe-inline
并指定 unsafe-inline $ c $,仍然没有办法动态注入样式c>基本上否定了CSP的全部用途。
The original answer here is still correct for now — because with CSP as currently implemented in browsers at least, there’s still no way to have dynamically injected styles at all without specifying unsafe-inline
, and specifying unsafe-inline
basically negates the whole purpose of CSP.
,CSP3添加了新的不安全哈希表达式,使您能够允许特定的内联脚本/样式。参见 https://w3c.github.io/webappsec-csp/#unsafe -哈希使用,请参见 。不过,它尚未在任何浏览器中发布。因此,暂时来说,下面的答案仍然完全适用。
However, CSP3 adds a new unsafe-hashes
expression for enabling you to allow particular inline scripts/styles. See https://w3c.github.io/webappsec-csp/#unsafe-hashes-usage, and see Explainer: ‘unsafe-hashes’, ‘unsafe-inline-attributes’ and CSP directive versioning. It hasn’t shipped in any browsers yet, though. So for the time being, the answer below still fully applies.
允许的唯一方法style
属性用于使用 unsafe-inline
。 style
属性是来自其他来源还是来自 self
都无关紧要,它们仍在继续除非您有 unsafe-inline
。
The only way to allow style
attributes is to use unsafe-inline
. It doesn’t matter whether the style
attributes are coming from a different origin or from self
—they’re still going to be considered a CSP violation unless you have unsafe-inline
.
具体来说,这是一种赢了的解决方案't 用于样式
属性的工作是使用随机数或哈希-因为在CSP中,随机数和哈希的用法仅针对样式定义
和脚本
元素;该规范具有 样式元素的哈希用法 部分明确省略了定义样式 attributes 的哈希使用。
Specifically, one solution that won’t work for style
attributes is to use a nonce or hash—because in CSP, nonce and hash usage are only defined for style
and script
elements; the spec has a Hash usage for style elements section that explicitly omits defining hash use for style attributes.
因此,即使您在策略中为以下内容指定了正确的哈希 style
属性的内容,您的浏览器仍会将其视为违规。
So even if in your policy you specify the correct hash for the contents of a style
attribute, your browser will still handle it as a violation.
因为 unsafe-inline
是允许 style
的唯一方法,但是使用 unsafe-inline
几乎完全违背了使用任何CSP策略的目的-从CSP角度来看,唯一安全的解决方案是永远不要使用 style
属性-既不直接来自您自己的标记/代码,也不来自任何第三方代码。
The bottom line is that since unsafe-inline
is the only way to allow style
attributes—but using unsafe-inline
pretty much completely defeats the purpose of having any CSP policy to begin with—the only safe solution from a CSP perspective is just to never use style
attributes—neither directly from your own markup/code nor by way of any third-party code.
这篇关于如何让脚本使用setAttribute'style'而不破坏CSP的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!