Firefox拒绝加载具有严格动态设置的任何脚本 [英] Firefox refuses to load any scripts with strict-dynamic set

问题描述

如果设置了严格动态，Firefox 68将拒绝加载脚本.删除它可以解决问题，但是我试图找出 为什么 严格动态会导致Firefox阻止脚本.(Chrome 76或77中没有错误.)

Firefox 68 is refusing to load scripts if strict-dynamic is set. Removing it fixes the problem but I'm trying to figure out why strict-dynamic causes Firefox to block the scripts. (There are no errors in Chrome 76 or 77.)

这是我当前的CSP:

default-src 'none';  
base-uri 'self';  
connect-src https://api.[mysite].com;  
font-src 'self' https://use.typekit.net;  
form-action 'self';  
frame-ancestors 'self';  
img-src 'self' data:;  
manifest-src 'self';  
object-src 'none';  
script-src 'self' 'unsafe-inline' https: 'sha384-iNlFf0Eg2hINxMB9tToQV4RnxDkAZlsPP94pWd15ctvGZBv9ryRfQqFtFZNM7XiA' 'sha384-ZMP7rVo3mIykV+2+9J3UJ46jBk0WLaUAdn689aCwoqbBJiSnjAK/l8WvCWPIPm49' 'sha384-ZDHQDqvUUYauNA9cFuoaV9L+U+ZtxzdGF70k0b7fDra3FBacCe+Hngtw49T6CJb7' 'sha384-rNVOlvKt+mE/FuEDamC09wqzy3DjyosfTPCDkViitrbSMgS05HdT7pLifJLUpKkN' 'sha384-WCO1dM1VIjdz4wJR0FG7yGtGylSMdwCQDP5MoFjrc/u8970XcFh6zwXdjG76eCDS' 'sha384-+N7evcl7zrc6o9kMNnhuSkeAgOTW8X1IJ9QNoUeFg1Nk2F9iePwtyeN23Xmrfvl8' 'sha384-AQ+OmaAwyCDPM0nqlDUkKMa3qkWQ3oi/reAOFXu3Qpj+8qSrRlqoFd18NNJbOZVT' 'sha384-OAeN05/PeTav9WcYPjJBUnayKJllw2VgLFEpNY5rRWciopAb4v1ERIKclCaF6J/4' 'sha256-kzvsAqTDCfIphFz0XiR4pT52mnhHbvon43SO5jB18dk=' 'sha384-+StHyFUD2Qm2XSU/KU8ItNOwDenBX7rmg1dlwv/d2/UScI4z1E4NleDCQxN5bGFg' 'sha512-4SOBW3M7cPHveemHR+3DE/wa2TMg+IrV5KbofseWTiJdRGhP5fPy9kNGgHMnw3x7KuWuIqeY4O/jFFL8gio9Ag==' 'sha256-1qUviT9v0xAXIG4t/jw+97tZmTnpSdX/kJ2TZBkMBVA=' 'sha384-1oQ+rlRG29IUmyXJ19qy/3JkdRgR+FYDwdljaRj7hFK46jWfXOttNyJ6lgJIiYmx' 'sha512-+t+Sm1j5Sr1ZuxzwvYlZbZw+wODnAGe/YPgZ7BE00ZWwp6Ct5FKWt4EybojdgUxYrzaM20OBZ2I1Uh4U9Vl6WA==' 'strict-dynamic' 'report-sample';  
style-src 'self' 'unsafe-inline' https://use.typekit.net/ldr0egh.css https://p.typekit.net 'report-sample';  
report-uri https://[mysite].report-uri.com/r/d/csp/reportOnly;  
report-to default

由于散列匹配，我希望Firefox将加载脚本.但是启用严格动态后，它会窒息.这是Firefox中的错误吗?还是我需要做不同的CSP?

I would expect that Firefox would load the scripts since the hashes match. But with strict-dynamic enabled it chokes. Is this a bug in Firefox? Or do I need to be doing my CSP differently?

Firefox中的错误是:

The errors in Firefox are:

Content Security Policy: The page's settings observed the loading of a resource at https://[mysite]/scripts/js/jquery.min.js ("script-src"). A CSP report is being sent.
Content Security Policy: The page's settings observed the loading of a resource at https://[mysite]/scripts/js/popper.min.js ("script-src"). A CSP report is being sent.
Content Security Policy: The page's settings observed the loading of a resource at https://[mysite]/scripts/js/bootstrap.min.js ("script-src"). A CSP report is being sent.

以上资源的哈希值是(script-src中的前三个):

The hashes for the above resources are (the first three in script-src):

sha384-iNlFf0Eg2hINxMB9tToQV4RnxDkAZlsPP94pWd15ctvGZBv9ryRfQqFtFZNM7XiA
sha384-ZMP7rVo3mIykV+2+9J3UJ46jBk0WLaUAdn689aCwoqbBJiSnjAK/l8WvCWPIPm49
sha384-ZDHQDqvUUYauNA9cFuoaV9L+U+ZtxzdGF70k0b7fDra3FBacCe+Hngtw49T6CJb7

推荐答案

支持外部脚本上的哈希未实现仍在Firefox中.

Support for hashes on external scripts was added in CSP Level 3 and is not implemented yet in Firefox.

这篇关于Firefox拒绝加载具有严格动态设置的任何脚本的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！