[英]Make inlined JS Configuration object CSP-compliant (CSP Level 1)
My web application (JS part) needs to be configured by the server before loading. 加载之前,服务器需要配置我的Web应用程序(JS部分)。 Right now it is done in the following manner:
现在,它是通过以下方式完成的:
<script>
var configObj = {
setting1: "blah",
setting2: {val1: 1, val2:2},
};
</script>
<script src="myapp.js">
Config is request-specific and is inlined by server when html response is built. Config是特定于请求的,并且在构建html响应时由服务器内联。 It works well, but it violates
unsafe-inline
Content-Security Policy rule. 它运作良好,但是违反了
unsafe-inline
内容安全策略规则。
unfortunately we can't just rely on CSP Level 2 (hashes/nonces), we are stuck with Level 1 for now. 不幸的是,我们不能仅仅依靠CSP 2级(哈希/随机数),我们暂时还停留在1级。 Is there a proved/recommended way of configuring client app in a CSP-compliant way?
是否有经过验证/推荐的以符合CSP的方式配置客户端应用程序的方法?
So far I am thinking about embedding it into some DOM element as string and then JSON.parsing it. 到目前为止,我正在考虑将其作为字符串嵌入到某些DOM元素中,然后进行JSON.parsing。 Are there any other (better) options?
还有其他(更好)的选择吗?
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.