CSP:浏览器是否检查标题中的现时值是否与脚本标记中的现时值匹配? [英] CSP: Does browser check if the nonce value in header matches with the nonce value in script tag?

查看:91
本文介绍了CSP:浏览器是否检查标题中的现时值是否与脚本标记中的现时值匹配?的处理方法,对大家解决问题具有一定的参考价值,需要的朋友们下面随着小编来一起学习吧!

问题描述

我有一个页面使用Ajax加载部分内容.部分内容具有 script 标记,其临时值与 Content-Security-Policy 标头中定义的临时值不匹配.

I have a page that loads partial content using Ajax. The partial content has script tag whose nonce value DOES NOT match with the nonce defined in the Content-Security-Policy header.

这是完整的代码(使用asp.net核心+ jQuery 2.1.1)

Here is the complete code (using asp.net core + jQuery 2.1.1)

中间件
对于每个http请求,中间件将注入带有随机数值的 Content-Security-Policy 标头

public class CSPMiddleware
{
    private readonly RequestDelegate _next;

    public CSPMiddleware(RequestDelegate next)
    {
        _next = next;            
    }

    public async Task Invoke(HttpContext context)
    {
        if (context == null)
        {
            throw new ArgumentNullException("context");
        }
        
        context.Response.Headers["Content-Security-Policy"] = $"default-src 'self'; script-src 'self' 'nonce-abc' 'unsafe-eval'";

        await _next(context);
    }
}

Index.cshtml

<button type="button" id="btnGetContent">Get Partial View</button>

<div id="result">    
</div>

//this script on the main page will execute since nonce matches with the header
<script type="text/javascript" nonce="abc">
    $(function () {
        $("#btnGetContent").click(function () {
            $.ajax({
                type: "GET",
                url: "/home/getpartialview",
                processData: true,
                cache: false
            })
                .done(function (response, textStatus, jqXHR) {
                    $("#result").html(response);
                })
        })

        
    })
</script>

局部视图

@System.DateTime.Now.ToString();

<button id="btn2">Click Me. I am on Partial</button>

// this script should not execute since nonce does not match
<script type="text/javascript" nonce="xyz">
    $("#btn2").click(function () {
        alert("foo");
    })
</script>

我的期望是,不应触发部分视图上的click事件,因为脚本的现时值与标头不匹配.但是,点击事件确实会触发.

My expectation is, the click event on partial view should NOT fire because script's nonce value does not match with the header. However click event does get fire.

浏览器是否检查 Content-Security-Policy 标头中的现时值是否与脚本标记中的现时值相匹配?

Does browser checks if the nonce value in Content-Security-Policy header matches with nonce value in script tag?

推荐答案

是的,浏览器完全检查标头和脚本标记中的nonce值是否匹配.但是jQuery 2.x(无意间)使用了一种通过'unsafe-eval'绕过'nonce-value'的技术(您必须为此允许eval).
该框架打破了将脚本放入HTML代码的所有逻辑.

Yes, browser exactly check matches nonce values in the header and in the script tag. But jQuery 2.x (unintentionally) uses a technique to bypass 'nonce-value' via 'unsafe-eval' (you had to allow evalfor that).
This framework brokes all logics of placing scripts in the HTML code.

jQuery 2.x从HTML解析所有< script> ...</script> 标记,并将其放入动态生成的脚本标记中,或通过 eval():

jQuery 2.x parses all <script>...</script> tags from the HTML and puts it in a dynamically generated script tag or executes those through eval( ):

这就是为什么Dropbox为jQuery 2.x手动检查 nonce 的原因:

That's why Dropbox performs manual checking of nonce for jQuery 2.x:

更多详细信息,您可以在此视频(来自AppSec EU 2017)(已倒退到所需的时间).

More details you can find in this video from AppSec EU 2017 (already rewinded to the required moment).

这篇关于CSP:浏览器是否检查标题中的现时值是否与脚本标记中的现时值匹配?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!

查看全文
登录 关闭
扫码关注1秒登录
发送“验证码”获取 | 15天全站免登陆