HTML“nonce"的目的是什么?脚本和样式元素的属性? [英] What’s the purpose of the HTML "nonce" attribute for script and style elements?

问题描述

W3C 表示 HTML5.1 中有一个名为 nonce 的新属性，用于 style 和 script 可由内容安全策略使用一个网站.

W3C says there is a new attribute in HTML5.1 called nonce for style and script that can be used by the Content Security Policy of a website.

我用谷歌搜索了它，但最终没有明白这个属性的实际作用以及使用它时有什么变化?

I googled about it but finally didn't get it what actually this attribute does and what changes when using it?

推荐答案

nonce 属性允许您将某些内联 script 和 style 元素，同时避免使用 CSP unsafe-inline 指令(这将允许 all 内联 script/style>)，以便您仍然保留一般禁止内联 script/style 的关键 CSP 特性.

The nonce attribute allows you to "whitelist" certain inline script and style elements, while avoiding use of the CSP unsafe-inline directive (which would allow all inline script/style), so that you still retain the key CSP feature of disallowing inline script/style in general.

所以 nonce 属性是告诉浏览器特定脚本或样式元素的内联内容不是由某些(恶意)第三方注入到文档中的，而是被放入了控制提供文档的服务器的人有意提供文档.

So the nonce attribute is way to tell browsers the inline contents of a particular script or style element weren’t injected into the document by some (malicious) third party, but were instead put in the document intentionally by whoever controls the server the document is served from.

网络基础内容安全政策文章的如果你绝对必须使用它...... 部分有一个很好的如何使用 nonce 属性的示例，相当于以下步骤:

The Web Fundamentals Content Security Policy article’s If you absolutely must use it ... section has a good example of how to use the nonce attribute, which amounts to the following steps:

1. 对于您的 Web 服务器收到的针对特定文档的每个请求，让您的后端从加密安全的随机数生成器生成至少 128 位的随机 base64 编码字符串；例如，EDNnf03nceIOfn39fn3e9h3sdfa.那是你的随机数.

取第 1 步中生成的随机数，对于任何您想列入白名单"的内联 script/style，让您的后端代码插入一个 nonce 属性在通过网络发送之前添加到文档中，以该 nonce 作为值:

Take the nonce generated in step 1, and for any inline script/style you want to "whitelist", make your backend code insert a nonce attribute into the document before it’s sent over the wire, with that nonce as the value:

 <script nonce="EDNnf03nceIOfn39fn3e9h3sdfa">…</script>

采用步骤 1 中生成的 nonce，在 nonce- 前面加上，并使您的后端生成一个 CSP 标头，其中包含 script-src<源列表的值/code> 或 style-src:

Take the nonce generated in step 1, prepend nonce-, and make your backend generate a CSP header with that among the values of the source list for script-src or style-src:

 Content-Security-Policy: script-src 'nonce-EDNnf03nceIOfn39fn3e9h3sdfa'

因此，使用 nonce 的机制是替代让您的后端生成您想要允许的内联 script 或 style 内容的散列的替代方法，并且然后在 CSP 标头的相应源列表中指定该哈希.

So the mechanism of using a nonce is an alternative to instead having your backend generate a hash of the contents of the inline script or style you want to allow, and then specifying that hash in the appropriate source list in your CSP header.

请注意，由于浏览器不会(不能)检查 nonce 值是否在页面请求之间发送了更改，因此有可能(尽管完全不可取)跳过上面的 1 并且不让您的后端为 nonce 动态执行任何操作，在在这种情况下，您可以将带有静态值的 nonce 属性放入文档的 HTML 源中，然后发送一个具有相同 nonce 值的静态 CSP 标头.

Note that because browsers don’t (can’t) check that the nonce value sent changes between page requests, it’s possible—though totally inadvisable—to skip 1 above and not have your backend do anything dynamically for the nonce, in which case you could just put a nonce attribute with a static value into the HTML source of your doc, and send a static CSP header with that same nonce value.

但是你不想以这种方式使用静态随机数的原因是，它几乎完全违背了使用随机数的整个目的——因为，如果你要使用静态随机数像那样，到那时你还不如使用 unsafe-inline.

But the reason you’d not want to use a static nonce in that way is, it’d pretty much defeat the entire purpose of using the nonce at all to begin with—because, if you were to use a static nonce like that, at that point you might as well just be using unsafe-inline.

至于哪些元素是nonceable":CSP 规范目前限制浏览器只检查 script 和 style 元素的 nonce.以下是规格详情:

As far as which elements are "nonceable": The CSP spec currently restricts browsers to checking nonces only for script and style elements. Here are the spec details:

• 在 https://w3c.github.io/webappsec-csp/#match-element-to-source-list，参见第 2 步:
  如果类型是脚本"或样式"，以及第 6.6.3.1 节元素是否不可分割?返回Nonceable"……

在 https://w3c.github.io/webappsec-csp/#is-element-nonceable，Is element nonceable? 算法本身不只检查 script/style 元素；但规范调用的唯一地方是上面引用的部分，将其限制为 script 和 style.因此，如果您在任何其他元素上放置随机数，当前规范要求浏览器忽略它.

At https://w3c.github.io/webappsec-csp/#is-element-nonceable, the Is element nonceable? algorithm itself doesn’t check just for script/style elements; but the only place the spec calls that from is the part cited above, which restricts it to script and style. So if you put a nonce on any other element, the current spec requires browsers to ignore it.

这篇关于HTML“nonce"的目的是什么?脚本和样式元素的属性?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！