属性内联JS的CSP哈希或随机数 [英] CSP hash or nonce for inline JS within attribute
问题描述
内容安全政策的新手,因此不确定是否可行,但想知道如何在HTML元素的属性内为某些内联脚本添加哈希或随机数。
New to Content Security Policy stuff so not sure if this is possible or not, but wondering how to add a hash or nonce for some inline script within a HTML element's attribute.
例如:
<form method="post" onsubmit="function();">
在Google Chrome浏览器中给我以下CSP错误:
Gives me the following CSP error in Google Chrome:
拒绝执行内联事件处理程序,因为它违反了内容安全策略指令中的
: script-src'self'。
'unsafe-inline'关键字,哈希('sha256 -...')或现时
('nonce -...')才能启用内联执行。
Refused to execute inline event handler because it violates the following Content Security Policy directive: "script-src 'self'. Either the 'unsafe-inline' keyword, a hash ('sha256-...'), or a nonce ('nonce-...') is required to enable inline execution.
我尝试仅对脚本进行哈希处理,例如 function(); 以及 onsubmit = function 都无效。我尝试向表单元素中添加一个随机数,但这没有帮助。
I've tried hashing just the script e.g. function(); as well as onsubmit="function" and neither work. I tried adding a nonce to the form element but that didn't help.
如果需要,我可以移动事件绑定在element属性之外,只是想知道是否有一种方法可以遵循上述要求。
If needed I can move the event binding outside of the element attribute, just curious if there is a way to adhere to a CSP with the above.
推荐答案
转到您的终结您的内容的端点。请检查浏览器上的控制台,您的浏览器会通知被阻止的内容,并且还会为您提供散列,您必须使用散列来通过CSP取消阻止该内容。
Go to your endpoint where your content is being blocked. Check out the console on your browser. Your browser will notify the content which is being blocked, and it will also give you the hash you have to use to unblock that content via CSP.
来源:> https://www.troyhunt.com/locking-down-your-website-scripts-with-csp-hashes-nonces-and-report-uri/
这篇关于属性内联JS的CSP哈希或随机数的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
