[英]CSP style-src: 'unsafe-inline' - is it worth it?
Currently I'm using Modernizr on all my sites and it turns out because of how it works it requires unsafe-inline
styles to be allowed.目前我在我的所有网站上都使用 Modernizr,事实证明,由于它的工作方式,它需要允许
unsafe-inline
样式。 I am already not allowing inline scripts and unsafe-eval for scripts.我已经不允许内联脚本和脚本的 unsafe-eval 了。 Curious as to what security risks there are for allowing inline styles?
好奇允许内联样式存在哪些安全风险?
Allowing inline styles makes you susceptible to a the "other XSS".允许内联样式使您容易受到“其他 XSS”的影响。 Cross Site Styling attacks.
跨站点样式攻击。
The idea here is that any places where a user can inject a style attribute into your document they can modify the appearance of your page any way they want.这里的想法是,用户可以在您的文档中注入样式属性的任何地方,他们都可以按照他们想要的方式修改页面的外观。 I'll list a couple potential attacks ordered by increasing severity:
我将列出几个按严重程度排序的潜在攻击:
The fourth example, with the information being leaked to external domains could be entirely prevented in spite of the unsafe-inline
provided you ensure your other CSP rules never allow any kind of request to go to a untrusted or wildcard domain.第四个示例,尽管存在
unsafe-inline
,但可以完全防止信息泄露到外部域,前提是您确保您的其他 CSP 规则永远不允许任何类型的请求进入不受信任或通配符域。 But the first 3 will always be possible if you miss blocking a style attribute somewhere.但是如果您错过在某处阻止样式属性,前 3 个总是可能的。
Mike West did a good talk on this for CSSConf a few years back for some more examples.几年前, Mike West为 CSSConf 做了一个很好的 演讲,提供了更多的例子。
Personally I find not using unsafe-inline for CSS is impractical.就我个人而言,我发现不对 CSS 使用 unsafe-inline 是不切实际的。 It means I have to use an external style sheet file for EVERY style.
这意味着我必须为每种样式使用外部样式表文件。 Coloring text, centering text etc. It can be done.
着色文本,居中文本等。它可以做到。 You can do this by using a main style sheet "main.css" and a file sheet for every page ("index.css", "contect.css", etc).
您可以通过使用主样式表“main.css”和每个页面的文件表(“index.css”、“contect.css”等)来做到这一点。 However I am not so stupid that I allow arbitrary code execution;
但是,我并没有那么愚蠢,以至于允许任意代码执行; I filter out all less then and grater then signs.
我过滤掉所有更少的东西,然后擦掉所有的迹象。 I find this to be an unreasonable restriction.
我认为这是一个不合理的限制。 Blocking inline JavaScript is not as bad as blocking inline CSS.
阻止内联 JavaScript 并不像阻止内联 CSS 那样糟糕。 I can see blocking inline JavaScript.
我可以看到阻塞内联 JavaScript。 However I don't think I will do that ether.
但是我不认为我会那样做。 If you are careful to filter your less then and grater then signs (there are some other stupid things you can do besides not filtering these) if you don't make stupid mistakes that allows arbitrary code execution then you are safe.
如果你小心地过滤你的 less then 和 grater then 符号(除了不过滤这些之外,你还可以做一些其他愚蠢的事情)如果你不犯允许任意代码执行的愚蠢错误,那么你是安全的。 These inline blocks are only created to protect web developers that screw up there code in a way that allows arbitrary code execution.
创建这些内联块只是为了保护以允许任意代码执行的方式搞砸代码的 Web 开发人员。 But the blocks make it a bit harder to code.
但是这些块使编码变得有点困难。 So it's a trade off.
所以这是一个权衡。
TLDR IMHO not worth blocking inline CSS, worth blocking inline JavaScript but unnecessary. TLDR 恕我直言,不值得阻止内联 CSS,值得阻止内联 JavaScript,但没有必要。 I will NOT consider blocking inline CSS, I am not going to block inline JavaScript but I might consider it.
我不会考虑阻止内联 CSS,我不会阻止内联 JavaScript,但我可能会考虑。
Experience: I am a web designer that designs in code using HTML CSS JavaScript and PHP.经验:我是一名网页设计师,使用 HTML CSS JavaScript 和 PHP 进行代码设计。 I have my own website that I coded by hand.
我有自己的网站,我手工编码。 And I validate with the official w3 validator.
我使用官方的 w3 验证器进行验证。 I keep up with web design standards like HTML5.
我跟上 HTML5 等网页设计标准。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.