具有“严格动态"的外部脚本哈希要求“完整性".脚本标签上的属性? [英] External script hash with 'strict-dynamic' requires "integrity" attribute on script tag?
问题描述
我正在研究网站的内容安全政策,特别是 strict-dynamic 关键字.
I'm working on a site's Content Security Policy, specifically the strict-dynamic keyword.
我的测试站点有两个文件:
index.html:
<!DOCTYPE html>
<html>
<head>
<meta name="viewport" content="width=device-width,initial-scale=1.0,maximum-scale=1,user-scalable=yes" />
<meta charset="UTF-8" />
<title>csp-test</title>
</head>
<body>
<h1>csp-test</h1>
<script src="./index.js"></script>
</body>
</html>
index.js:
console.log('foo');
我正在研究使用基于散列的方法来允许脚本.
I'm looking into using the hash-based approach to allow the script.
这是我在节点脚本中生成哈希的方法:
Here is how I'm generating the hash in a node script:
const input = fs.readFileSync("/path/to/index.js");
crypto.createHash("sha256").update(input, 'utf8').digest('base64')
这是 index.js 的结果: 1kOLrDKT3TBiHLcnxiGsc7HF/lyVJKLhoZDSn0UwCfo =
使用此哈希,我将CSP配置更新为:
With this hash, I update my CSP config to:
default-src 'self'; script-src 'self' 'strict-dynamic' 'sha256-1kOLrDKT3TBiHLcnxiGsc7HF/lyVJKLhoZDSn0UwCfo=' 'unsafe-inline'; object-src 'none'; base-uri 'self'
当我将此值作为名称为 Content-Security-Policy-Report-Only 的响应标头(使用ModHeader Chrome扩展)时,仍会在控制台中出现错误:
When I include this value as a response header (using the ModHeader Chrome extension) with this name Content-Security-Policy-Report-Only I still get an error in the console:
[Report Only] Refused to load the script 'http://localhost:5000/index.js' because it violates the following Content Security Policy directive: "script-src 'self' 'strict-dynamic' 'sha256-1kOLrDKT3TBiHLcnxiGsc7HF/lyVJKLhoZDSn0UwCfo=' 'unsafe-inline'". 'strict-dynamic' is present, so host-based allowlisting is disabled. Note that 'script-src-elem' was not explicitly set, so 'script-src' is used as a fallback.
我可以通过在脚本标签上设置 integrity 属性来使此错误消失:
I can make this error go away by using setting the integrity attribute on my script tag:
<script integrity="sha256-1kOLrDKT3TBiHLcnxiGsc7HF/lyVJKLhoZDSn0UwCfo=" src="./index.js"></script>
我的问题是:我为什么需要添加 integrity 属性?我没有在
My question is: Why did I need to add the integrity attribute?
I'm not seeing it mentioned in the documentation and needing to add this attribute would further complicate our build process.
Is there an alternative to needing to specify this attribute?
推荐答案
为什么需要添加完整性属性?我没看到文档中提到的,需要添加此属性将进一步使我们的构建过程复杂化.
Why did I need to add the integrity attribute? I'm not seeing it mentioned in the documentation and needing to add this attribute would further complicate our build process.
MDN仅包含解释CSP如何工作的普通知识.所有的细节都在 CSP规范
使用'hash-value'令牌假定外部脚本已经具有 integrity = 属性(来自第三方CDN的脚本).对于自己的脚本,使用'nonce-value'令牌更容易.
此外,Firefox 不支持哈希值"以仅允许外部脚本对于内部的.Safari-太.
MDN contains only common things to explain how CSP works. All the nitty-gritty is in CSP spec
Usage of 'hash-value' token assumes that external script already has the integrity= attribute (scripts from third-party CDNs). For own scripts it's easier to use 'nonce-value' token.
Moreover, Firefox does not support 'hash-value' for allowing external scripts, only for internal ones. Safari - too.
是否需要指定此属性?
Is there an alternative to needing to specify this attribute?
不幸的是,没有办法.仅内置脚本< script> ...</script> 不需要 integrity = attr,并且如果它们的哈希值包含在中,则它们将被自动允许> script-src 指令.
No way, unfortunately. Only built-in scripts <script>...</script> does not require integrity= attr and will be auto allowed if their hashes contains in the script-src directive.
我正在研究网站的内容安全政策,特别是严格动态关键字.
I'm working on a site's Content Security Policy, specifically the strict-dynamic keyword.
请注意,Safari仍会不支持 'strict-dynamic'.
Be careful, Safari still does not support 'strict-dynamic'.
这是我在节点脚本中生成哈希的方法:
Here is how I'm generating the hash in a node script:
const input =`fs.readFileSync("/path/to/index.js");
crypto.createHash("sha256").update(input,'utf8').digest('base64')
const input = `fs.readFileSync("/path/to/index.js");
crypto.createHash("sha256").update(input, 'utf8').digest('base64')
外部脚本的内容不需要可以在散列之前转换为UTF8,只需内联脚本必须进行转码.
同样,CSP规范要求将所有'-'字符替换为' + ',并将所有' _ '字符替换为'/中的散列值.然后添加"sha256-"前缀.
Content of external scripts does not need to be converted to UTF8 before hashing, only inline scripts have to be transcoded.
Also CSP spec requires all '-' characters replace with '+', and all '_' characters replace with '/' in the hashes value. And after that 'sha256-' prefix is added.
这篇关于具有“严格动态"的外部脚本哈希要求“完整性".脚本标签上的属性?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
