ASP Net核心内容安全策略实施 [英] Asp net core Content Security Policy implementation

问题描述

我已经实现了用于管理应用程序中内容安全策略层的代码。
我的实现是基于 ActionFilterAttribute 的，该代码的灵感来自此处提供的代码（为简单起见，我将其包括在问题中）。

I have implemented code to manage the Content Security Policy layer in my application. My implementation is based on an ActionFilterAttribute which was inspired from the code available here (I am including in the question for the sake of simplicity).

public override void OnResultExecuting( ResultExecutingContext context ) {
    var result = context.Result;
    if ( result is ViewResult ) {
        if ( !context.HttpContext.Response.Headers.ContainsKey( "X-Content-Type-Options" ) ) {
            context.HttpContext.Response.Headers.Add( "X-Content-Type-Options", "nosniff" );
        }
        if ( !context.HttpContext.Response.Headers.ContainsKey( "X-Frame-Options" ) ) {
            context.HttpContext.Response.Headers.Add( "X-Frame-Options", "SAMEORIGIN" );
        }

        var csp = "default-src *;";

        // once for standards compliant browsers
        if ( !context.HttpContext.Response.Headers.ContainsKey( "Content-Security-Policy" ) ) {
            context.HttpContext.Response.Headers.Add( "Content-Security-Policy", csp );
        }
        // and once again for IE
        if ( !context.HttpContext.Response.Headers.ContainsKey( "X-Content-Security-Policy" ) ) {
            context.HttpContext.Response.Headers.Add( "X-Content-Security-Policy", csp );
        }
    }
}

但是，如您所见从以下图片中，我仍然在浏览器（示例中为Firefox）中出现错误。这是显示标题的开发者控制台：

However, as you can see from the following pictures, I still get errors in the browser (Firefox in the sample). This is the developer console showing the header which are present:

这些是控制台错误

我是什么做错了，特别是对于控制台中的最后三个错误？

What I am doing wrong, expecially for the last three errors in the console?

推荐答案

要消除控制台屏幕截图中的CSP错误，您可以必须使此标头发生：

To eliminate the CSP errors in the console screen capture, you must make this header happen:

Content-Security-Policy:
  script-src 'self' https://cdnjs.cloudflare.com;
  style-src 'self' https://fonts.googleapis.com;
  img-src 'self' data:

（上面显示的值是无效的

(The value shown in that above is broken up across multiple lines just for readability.)

关键点是：

• 您需要在其中包含'self'


• 您需要提供第三方<$ c $的原始值c> https://cdnjs.cloudflare.com 和 https://fonts.googleapis.com 加载字体和脚本的来源来自


• ，您需要在其中具有 data：，以允许 data：image / gif 标记中的URL

• you need to have 'self' in there
• you need to give the origin values for the third-party https://cdnjs.cloudflare.com and https://fonts.googleapis.com origins that you’re loading fonts and scripts from
• you need to have data: in there to allow the data:image/gif URL in your markup

如果文档确实还在从 https：/ / localhost：5000 ，那么您也需要在其中添加它。

And if the document is really also loading resources from https://localhost:5000 then you need to have that in there too.

如果后端中已经有其他部分正在添加CSP标头，那么重要的是要了解，使用附加的CSP标头添加的任何策略只能使该策略更严格，而不能更加宽松。

And if there’s already some other part of your backend that’s adding a CSP header, then it’s important to understand that any policy you add with an additional CSP header can only make the policy stricter, not more liberal.

因此，如果要添加到其他地方的CSP标头比您需要的严格，那么您必须找到要添加的CSP标头，并使其停止。然后，您可以添加所需的更为自由的CSP标头。

So if the CSP header that’s being added elsewhere is a stricter one than you need, then you must find the part of the system which is adding that, and make it stop. And then you can add the more-liberal CSP header you need.

这篇关于ASP Net核心内容安全策略实施的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！