谷歌浏览器从脚本标记中剥离现时值 [英] Google Chrome Stripping nonce values from script tags

问题描述

我正在尝试将随机数值添加到内联脚本中，以满足更严格的CSP要求.但是，我遇到了一个奇怪的问题，即chrome正在从nonce属性中剥离值.当我卷曲页面时，会出现现时值.这导致脚本无法执行，因为它现在无法通过CSP测试.我以为这可能是由于流氓扩展引起的，但是在完全干净的chrome版本上却失败了.(OSX上的版本73.0.3683.103)随机数的值是一个随机的256位基本编码的字符串，因此它应满足随机数的所有要求.

I'm trying to add nonce values to my inline scripts to satisfy a stricter CSP. However, I am running into a weird issue where chrome is stripping the value from nonce attributes. When I curl the page, nonce values are present. This is causing the script not to be executed as it now fails the CSP test. I thought this may be due to a rogue extension, but it fails on a perfectly clean version of chrome. (Version 73.0.3683.103 on OSX) The value for the nonce is a random 256 bit base encoded string, so it should satisfy all requirements for the nonce.

有人知道发生了什么吗?我在做错什么吗?

Does anyone have any idea what is going on? Am I doing something wrong?

推荐答案

问题中所描述的实际上是预期的行为-根据HTML规范要求:

What’s described in the question is actually expected behavior — required per the HTML spec:

https://html.spec.whatwg.org/multipage/#nonce-attributes:attr-nonce

具有nonce内容属性的元素可通过从content属性中提取值并将其移至名为 [[CryptographicNonce]]

https://html.spec.whatwg.org/multipage/#nonce-attributes:dom-noncedelement-nonce

… nonce IDL属性的设置器不会更新相应的content属性.这以及在元素成为浏览上下文连接时将 nonce content属性设置为空字符串的以下设置，旨在通过易于读取内容属性的机制来防止现时值泄漏，例如选择器.

…the setter for the nonce IDL attribute does not update the corresponding content attribute. This, as well as the below setting of the nonce content attribute to the empty string when an element becomes browsing-context connected, is meant to prevent exfiltration of the nonce value through mechanisms that can easily read content attributes, such as selectors.

此行为是在 https://github.com/的规范更新中添加的.whatwg/html/pull/2373 (隐藏 nonce 内容属性值)；在 https://github.com/whatwg/html/issues/2369 上进行讨论.

This behavior was added in an update to the spec at https://github.com/whatwg/html/pull/2373 (Hide nonce content attribute values); discussion at https://github.com/whatwg/html/issues/2369.

请注意:如果您通过网络提供的标记源具有以下特征，则规范要求的行为是:

To be clear: the behavior the spec requires is, if the markup source you serve over the wire has:

<script nonce=DhcnhD3khTMePgXw>...</script>

...然后，如果您打开浏览器devtools并使用DOM检查器，则会看到的是:

…then if you open browser devtools and use the DOM inspector, what you’ll see instead is this:

<script nonce>...</script>

也就是说，DOM检查器将在该 script 元素上不显示 nonce 属性的值.

That is, the DOM inspector will show no value for the nonce attribute on that script element.

更准确地说:如果该文档带有 Content-Security-Policy ，则您不会在该 script 上看到 nonce 属性的任何值标头，浏览器正在该标头中应用该策略.

More accurately: you’ll see no value for the nonce attribute on that script if the doc is served with a Content-Security-Policy header, and the browser is applying the policy in that header.

如果您不使用 Content-Security-Policy 标头提供文档，或者浏览器未从中应用该策略，则会看到检查器中 script 元素的 nonce = DhcnhD3khTMePgXw .

If you don’t serve the doc with a Content-Security-Policy header, or the browser isn’t applying the policy from it, you’ll see nonce=DhcnhD3khTMePgXw for the script element in the inspector.

因此DOM检查器中缺少该 nonce 属性的值实际上表明事情正在按预期进行.也就是说，它表明浏览器正在检查与 Content-Security-Policy 标头中的任何 nonce-* 源表达式匹配的值.

So the lack of a value for that nonce attribute in the DOM inspector actually indicates that things are working as expected. That is, it indicates the browser is checking the value for a match against any nonce-* source expressions in the Content-Security-Policy header.

它在浏览器内部的工作方式是:浏览器将 nonce 属性的值移动到内部插槽"以供浏览器自己使用.因此，它仍然可供浏览器使用，但对DOM隐藏.

The way it works inside browsers is: browsers move the nonce attribute’s value to an "internal slot" for the browser’s own use. So it stays available to the browser but is hidden from the DOM.

您尚未在Safari中看到与Chrome相同的行为，原因是Safari尚未赶上规范更新并实现了要求.但是有一个打开Safari错误.

The reason you don’t yet see the same behavior as Chrome’s in Safari is, Safari hasn’t caught up with the spec update and implemented the requirement. But there is an open Safari bug.

要检查您的浏览器是否符合规范行为，可以在此处使用测试:

To check if your browser conforms to the spec behavior, you can use the tests here:

• https://web-platform-tests.live/content-security-policy/nonce-hiding/

在主要浏览器中这些测试的当前结果在这里:

And the current results for those tests in major browsers are here:

• https://wpt.fyi/results/content-security-policy/nonce-hiding

这篇关于谷歌浏览器从脚本标记中剥离现时值的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！