为什么要为“内容安全策略"自定义标题在github上不工作? [英] Why custom headers for "Content Security Policy" not working on github?
问题描述
我正在尝试在NodeJS的帮助下提供SVG响应.该SVG具有一个小的内联JavaScript代码,可动态计算SVG的宽度.使用浏览器直接调用API时,一切正常.但是,当我在GitHub的自述文件中使用这些API(以自述文件的形式向服务器SVG使用)时,这不允许我运行此存储在SVG中的内联JavaScript代码.
I am trying to deliver an SVG response with the help of NodeJS. This SVG has a small inline JavaScript code that dynamically calculates the width of the SVG. Everything works when the APIs are called directly using the browser. But when I use these APIs in GitHub's readme (to server SVGs in readmes) it's not allowing me to run this inline JavaScript code stored in SVG.
添加任何SVG时,github都会生成一个链接,它看起来像:: https://camo.githubusercontent.com/some-unique-id-for-each-content ,当我直接在浏览器中打开此链接时,它在浏览器的控制台中显示以下错误:
When any SVG is added a link is generated by the github and it looks like :: https://camo.githubusercontent.com/some-unique-id-for-each-content and when I opened this link directly in browser it show the following error in browser's console:
拒绝执行内联脚本,因为它违反了以下内容安全策略指令:"default-src'none'".要启用内联执行,需要使用'unsafe-inline'关键字,哈希('sha256-')或随机数('nonce -...').另请注意,未明确设置"script-src",因此将"default-src"用作后备.
Refused to execute inline script because it violates the following Content Security Policy directive: "default-src 'none'". Either the 'unsafe-inline' keyword, a hash ('sha256-'), or a nonce ('nonce-...') is required to enable inline execution. Note also that 'script-src' was not explicitly set, so 'default-src' is used as a fallback.
但是问题是我在发送响应之前设置了自定义的Content-Security-Policy标头,如下所示:
But the problem is that I am setting the custom Content-Security-Policy headers before sending the response, which looks like this:
res.setHeader("Content-Type","image/svg + xml");
res.setHeader("Content-Type", "image/svg+xml");
res.setHeader("Content-Security-Policy","default-src'self'; img-src data :; style-src'unsafe-inline'; script-src'self''unsafe-inline'");
res.setHeader("Content-Security-Policy", "default-src 'self'; img-src data:; style-src 'unsafe-inline'; script-src 'self' 'unsafe-inline'");
似乎自定义script-src无法与github自述文件一起使用.我也尝试设置哈希值,但是没有任何影响标头的信息.
And it seems that the custom script-src is not working with github readmes. I have also tried to set the hash value, but nothing is affecting the headers.
任何人都可以纠正我或告诉我这里有什么问题吗?
Can anyone correct me or tell me what's wrong in here?
推荐答案
当您查看SVG时,GitHub不允许用户执行自定义JavaScript,因为他们设置了自己的 Content-Security-Policy >标头.那是因为通常来说,不受信任的JavaScript可以做恶意的事情,而GitHub则不希望人们窃取凭据或成为恶意软件的载体.
GitHub doesn't allow users to execute custom JavaScript when you're viewing an SVG because they set their own Content-Security-Policy header. That's because in general, untrusted JavaScript can do malicious things and GitHub doesn't want people to steal credentials or to become a malware vector.
在GitHub上呈现的所有用户提供的SVG都将受到此限制,因为GitHub上的所有图像都是通过Camo代理的,以防止恶意JavaScript和跟踪,因此所有图像均使用GitHub的 Content-Security-Policy 标头,而不是您的.如果您想在SVG中运行JavaScript,则只需在您自己的网站上完成.
All user-provided SVGs rendered on GitHub will be subject to this restriction because all images on GitHub are proxied through Camo to prevent malicious JavaScript and tracking, and consequently all images are sent with GitHub's Content-Security-Policy header, not yours. If you want to run JavaScript in SVGs, it will need to be done on your own site only.
这篇关于为什么要为“内容安全策略"自定义标题在github上不工作?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
