HTML“随机数”的目的是什么?脚本和样式元素的属性? [英] What’s the purpose of the HTML "nonce" attribute for script and style elements?
问题描述
nonce
,用于样式
和脚本
,可以被网站的内容安全策略使用。 我搜索了一下,但最终没有得到它的内容这个属性在使用它时做了什么更改?
因此, https://developers.google.com/web/fundamentals/security/csp/#if_you_absolutely_must_use_it 给出了一个很好的示例,说明如何使用 对于每个请求,您的Web服务器接收一个特定的文件,让你的后端从密码安全的随机数发生器产生一个至少128位数据的随机base64编码的字符串;例如脚本
和样式
元素列入白名单,同时避免使用CSP 不安全的内联
指令(这将允许所有内联脚本
/ style code>),因此您仍然保留一般禁止内联
你想要白名单,让你的后端代码在通过线路发送之前在文档中插入一个脚本
/ 样式
的关键CSP功能。
nonce
属性是告诉浏览器特定脚本或样式元素的内联内容是没有被一些(恶意的)第三方注入到文档中,而是被放入int中o通过控制文档所服务的服务器的人来故意的文档。
nonce
属性,它归结为以下步骤:
EDNnf03nceIOfn39fn3e9h3sdfa
。这是你的随机数。 nonce
属性到文档中,该值作为值:
< script nonce =EDNnf03nceIOfn39fn3e9h3sdfa> ...< / script>
取第1步中产生的nonce,前面加上 nonce-
,并让后端生成一个CSP头,其中包含 script-src
或 style-src
:
Content-Security-Policy:script-src'nonce-EDNnf03nceIOfn39fn3e9h3sdfa'
因此,使用随机数的机制是一种替代方法而不是让你的后端生成你想允许的内联脚本
或样式
的内容的散列,然后请注意,由于浏览器不(无法)检查nonce值是否在页面请求之间发送了更改,虽然完全不可取,但可以跳过1而不让后端为nonce动态地执行任何操作,在这种情况下,您可以将 nonce
属性与一个静态值到你的文档的HTML源代码中,并发送一个具有相同nonce值的静态CSP头。
但是你不想使用静态nonce就是这样,它几乎无法打破使用nonce的全部目的 - 因为如果你要使用这样的静态nonce,那么你可能只需要使用 unsafe-inline
。
W3C says there is a new attribute in HTML5.1 called nonce
for style
and script
that can be used by the Content Security Policy of a website.
I googled about it but finally didn't get it what actually this attribute do and what changes when using it?
The nonce
attribute enables you to "whitelist" certain inline script
and style
elements, while avoiding use of the CSP unsafe-inline
directive (which would allow all inline script
/style
), so that you still retain the key CSP feature of disallowing inline script
/style
in general.
So the nonce
attribute is way of telling browsers that the inline contents of a particular script or style element were not injected into the document by some (malicious) third party, but were instead put into the document intentionally by whoever controls the server the document is served from.
https://developers.google.com/web/fundamentals/security/csp/#if_you_absolutely_must_use_it gives a good example of how to use the nonce
attribute, which comes down to the following steps:
For every request your Web server receives for a particular document, have your backend generate a random base64-encoded string of at least 128 bits of data from a cryptographically secure random number generator; e.g.,
EDNnf03nceIOfn39fn3e9h3sdfa
. That’s your nonce.Take the nonce generated in step 1, and for any inline
script
/style
you want to "whitelist", make your backend code insert anonce
attribute into the document before it’s sent over the wire, with that nonce as the value:<script nonce="EDNnf03nceIOfn39fn3e9h3sdfa">…</script>
Take the nonce generated in step 1, prepend
nonce-
to it, and make your backend generate a CSP header with that among the values of the source list forscript-src
orstyle-src
:Content-Security-Policy: script-src 'nonce-EDNnf03nceIOfn39fn3e9h3sdfa'
So the mechanism of using a nonce is an alternative to instead having your backend generate a hash of the contents of the inline script
or style
you want to allow, and then specifying that hash in the appropriate source list in your CSP header.
Note that because browsers don’t (can’t) check that the nonce value sent changes between page requests, it’s possible—though totally inadvisable—to skip 1 above and not have your backend do anything dynamically for the nonce, in which case you could just put a nonce
attribute with a static value into the HTML source of your doc, and send a static CSP header with that same nonce value.
But the reason you’d not want to use a static nonce in that way is, it’d pretty much defeat the entire purpose of using the nonce at all to begin with—because, if you were to use a static nonce like that, at that point you might as well just be using unsafe-inline
.
这篇关于HTML“随机数”的目的是什么?脚本和样式元素的属性?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!