使内联JS配置对象符合CSP(CSP级别1)
[英]Make inlined JS Configuration object CSP-compliant (CSP Level 1)
问题描述
My web application (JS part) needs to be configured by the server before loading. 
加载之前,服务器需要配置我的Web应用程序(JS部分)。 Right now it is done in the following manner: 现在,它是通过以下方式完成的:
<script>
var configObj = {
setting1: "blah",
setting2: {val1: 1, val2:2},
};
</script>
<script src="myapp.js">
Config is request-specific and is inlined by server when html response is built. Config是特定于请求的,并且在构建html响应时由服务器内联。 It works well, but it violates unsafe-inline Content-Security Policy rule. 它运作良好,但是违反了unsafe-inline内容安全策略规则。
unfortunately we can't just rely on CSP Level 2 (hashes/nonces), we are stuck with Level 1 for now. 不幸的是,我们不能仅仅依靠CSP 2级(哈希/随机数),我们暂时还停留在1级。 Is there a proved/recommended way of configuring client app in a CSP-compliant way? 是否有经过验证/推荐的以符合CSP的方式配置客户端应用程序的方法?
So far I am thinking about embedding it into some DOM element as string and then JSON.parsing it. 到目前为止,我正在考虑将其作为字符串嵌入到某些DOM元素中,然后进行JSON.parsing。 Are there any other (better) options? 还有其他(更好)的选择吗?
1 个解决方案
解决方案1
1 已采纳 2017-02-20 15:24:33
- You can move all config options into data-* attributes and then read them in then script. 您可以将所有配置选项移到data- *属性中,然后在脚本中读取它们。
- If you're worried about the compatibility of nonces, you may find this article interesting. 如果您担心随机数的兼容性,您可能会发现本文很有趣。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.