CSP:浏览器是否检查标题中的现时值是否与脚本标记中的现时值匹配? [英] CSP: Does browser check if the nonce value in header matches with the nonce value in script tag?
问题描述
我有一个页面使用Ajax加载部分内容.部分内容具有 script
标记,其临时值与 Content-Security-Policy
标头中定义的临时值不匹配.
I have a page that loads partial content using Ajax. The partial content has script
tag whose nonce value DOES NOT match with the nonce defined in the Content-Security-Policy
header.
这是完整的代码(使用asp.net核心+ jQuery 2.1.1)
Here is the complete code (using asp.net core + jQuery 2.1.1)
中间件
对于每个http请求,中间件将注入带有随机数值的 Content-Security-Policy
标头
public class CSPMiddleware
{
private readonly RequestDelegate _next;
public CSPMiddleware(RequestDelegate next)
{
_next = next;
}
public async Task Invoke(HttpContext context)
{
if (context == null)
{
throw new ArgumentNullException("context");
}
context.Response.Headers["Content-Security-Policy"] = $"default-src 'self'; script-src 'self' 'nonce-abc' 'unsafe-eval'";
await _next(context);
}
}
Index.cshtml
<button type="button" id="btnGetContent">Get Partial View</button>
<div id="result">
</div>
//this script on the main page will execute since nonce matches with the header
<script type="text/javascript" nonce="abc">
$(function () {
$("#btnGetContent").click(function () {
$.ajax({
type: "GET",
url: "/home/getpartialview",
processData: true,
cache: false
})
.done(function (response, textStatus, jqXHR) {
$("#result").html(response);
})
})
})
</script>
局部视图
@System.DateTime.Now.ToString();
<button id="btn2">Click Me. I am on Partial</button>
// this script should not execute since nonce does not match
<script type="text/javascript" nonce="xyz">
$("#btn2").click(function () {
alert("foo");
})
</script>
我的期望是,不应触发部分视图上的click事件,因为脚本的现时值与标头不匹配.但是,点击事件确实会触发.
My expectation is, the click event on partial view should NOT fire because script's nonce value does not match with the header. However click event does get fire.
浏览器是否检查 Content-Security-Policy
标头中的现时值是否与脚本标记中的现时值相匹配?
Does browser checks if the nonce value in Content-Security-Policy
header matches with nonce value in script tag?
推荐答案
是的,浏览器完全检查标头和脚本标记中的nonce值是否匹配.但是jQuery 2.x(无意间)使用了一种通过'unsafe-eval'
绕过'nonce-value'
的技术(您必须为此允许eval).
该框架打破了将脚本放入HTML代码的所有逻辑.
Yes, browser exactly check matches nonce values in the header and in the script tag. But jQuery 2.x (unintentionally) uses a technique to bypass 'nonce-value'
via 'unsafe-eval'
(you had to allow evalfor that).
This framework brokes all logics of placing scripts in the HTML code.
jQuery 2.x从HTML解析所有< script> ...</script>
标记,并将其放入动态生成的脚本标记中,或通过 eval()
:
jQuery 2.x parses all <script>...</script>
tags from the HTML and puts it in a dynamically generated script tag or executes those through eval( )
:
这就是为什么Dropbox为jQuery 2.x手动检查 nonce
的原因:
That's why Dropbox performs manual checking of nonce
for jQuery 2.x:
更多详细信息,您可以在此视频(来自AppSec EU 2017)(已倒退到所需的时间).
More details you can find in this video from AppSec EU 2017 (already rewinded to the required moment).
这篇关于CSP:浏览器是否检查标题中的现时值是否与脚本标记中的现时值匹配?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!