MVC Ajax.BeginForm和内容安全策略

Question

To prevent cross side scripting i implement CSP to one of my applications. At moment i´m reconfigure all html classes, so that javascript always comes from my server.

Now i found a page with an Ajax.BeginForm and always get the error " Refused to evaluate a string as JavaScript because 'unsafe-eval' is not an allowed source of script in the following Content Security Policy directive: "script-src 'self'". " if i want to submit the form and update the view.

Can anybody help me, where the problem is?

Here is my html classes (shorted):

UserInformation.cshtml:

<div id="OpenAccountInformation">@Html.Action("OpenAccountInformation")</div>
</div>

AccountInformation.cshtml:

@Scripts.Render("~/Scripts/bundles/ManageUsers/AccountInformation")
@model Tumormodelle.Models.ViewModels.AzaraUserModel

<input type="hidden" value="@ViewBag.Editable" id="EditableUserInformation">
<div id="Editable">
    @using (Ajax.BeginForm("EditUser", "ManageUsers", new AjaxOptions { InsertionMode = InsertionMode.Replace, UpdateTargetId = "OpenAccountInformation", HttpMethod = "post", }))
    {
        @Html.AntiForgeryToken()
        @Html.HiddenFor(m => m.UserID)
        <div>
            <div>
                @Html.LabelFor(m => m.Username, new { @class = "entryFieldLabel" })
            </div>
       </div>
          <div>
            <div>
                <button name="button" value="save" class="formbutton" id="saveButton">save</button>
                <button name="button" value="cancel" class="formbutton" id="cancelButton">cancel</button>
            </div>
                   }
</div>

<div id="NonEditable">

    <div>
        <div>
            @Html.LabelFor(m => m.Username, new { @class = "entryFieldLabel" })
        </div>
               </div>
           <div>
        <div>
            <button name="button" value="edit" class="formbutton" id="editButton" type="button">edit</button>
        </div>
                </div>
</div>

and the c# methods:

public ActionResult EditUser(AzaraUserModel AzaraUserModel, string button)
{
    if (button == Tumormodelle.Properties.Resources.Save)
    {
        if (ModelState.IsValid)
        {
            azaraUserManagement.Update(AzaraUserModel.Username, AzaraUserModel.Title, AzaraUserModel.FirstName, AzaraUserModel.LastName, AzaraUserModel.EMailAddress, null, AzaraUserModel.Phone, AzaraUserModel.UserID, (byte)AzaraUserModel.ShowMail.ID);
            ViewBag.Message = Tumormodelle.Properties.Resources.Personal_Data_Changed;
            ViewBag.Editable = true;
        }
        else ViewBag.Editable = false;
        BindShowMailList();
        return PartialView("AccountInformation", AzaraUserModel);
    }
    else
    {
        return RedirectToAction("OpenAccountInformation", "ManageUsers");
    }
}

public ActionResult UserInformation()
{
    return View("UserInformation");
}

public PartialViewResult OpenAccountInformation()
{
    AzaraUserModel AzaraUserModel = new AzaraUserModel(azaraUserManagement.GetSingle(AzaraSession.Current.UserComparison.GetUser().Id));
    BindShowMailList();
    ViewBag.Editable = true;
    return PartialView("AccountInformation", AzaraUserModel);
}

Edit: With help of Chrome debugger i find out, that the error is thrown in the moment form becomes submited.

Answer 1

Ajax.BeginForm will be generating inline script in the generated HTML of your page, which you have disallowed by use of script-src 'self' in your Content Security Policy.

If you want to use the CSP to prevent any inline injected scripts you must use Html.BeginForm instead and add the JavaScript to submit this via Ajax in an external .js file.

Answer 2

尝试将此属性添加到控制器后操作

[ValidateInput(false)]