[英]Content Security Policy violation in CORS environment
I have an angular 2 client, a resource server and an authentication server. 我有一个angular 2客户端,一个资源服务器和一个身份验证服务器。 Everything was running smoothly till I came to screeching halt this afternoon
一切运行顺利,直到今天下午我叫停
here is an image of the error I am getting 这是我得到的错误的图像
Let me add that I have seen several issues relating to this and have tried almost all the solutions prescribed to no avail 让我补充说,我已经看到了与此有关的几个问题,并且尝试了几乎所有规定的解决方案都无济于事
I also have the following class that is suppose to provide me cover from this policy violation 我还开设了以下课程,旨在为我提供本次违反政策的保障
public class SecurityHeadersAttribute : ActionFilterAttribute
{
public override void OnResultExecuting(ResultExecutingContext context)
{
var result = context.Result;
if (result is ViewResult)
{
if (!context.HttpContext.Response.Headers.ContainsKey("X-Content-Type-Options"))
{
context.HttpContext.Response.Headers.Add("X-Content-Type-Options", "nosniff");
}
if (!context.HttpContext.Response.Headers.ContainsKey("X-Frame-Options"))
{
context.HttpContext.Response.Headers.Add("X-Frame-Options", "SAMEORIGIN");
}
var csp = "default-src 'self'";
// once for standards compliant browsers
if (!context.HttpContext.Response.Headers.ContainsKey("Content-Security-Policy"))
{
context.HttpContext.Response.Headers.Add("Content-Security-Policy", csp);
}
// and once again for IE
if (!context.HttpContext.Response.Headers.ContainsKey("X-Content-Security-Policy"))
{
context.HttpContext.Response.Headers.Add("X-Content-Security-Policy", csp);
}
}
}
}
It however appears like after upgrading "Microsoft.AspNetCore.Mvc.Core" from version 1.1.2 to 1.1.3 my cover has been blown. 但是,将“ Microsoft.AspNetCore.Mvc.Core”从版本1.1.2升级到1.1.3之后,我的封面被炸了。 How can I get round this challenge?
我如何应对这个挑战?
Your CSP policy needs to allow content from https://ajax.aspnetcdn.com
. 您的CSP策略需要允许来自
https://ajax.aspnetcdn.com
内容。 So try changing this: 因此,请尝试更改此内容:
var csp = "default-src 'self'";
…to this: …对此:
var csp = "default-src 'self'; style-src https://ajax.aspnetcdn.com"; script-src https://ajax.aspnetcdn.com;
But based on the error message cited in the question, it seems the Content-Security-Policy
header value is getting set already somewhere other than in that part of your application code. 但是根据问题中引用的错误消息,似乎
Content-Security-Policy
标头值已经在应用程序代码的该部分以外的地方设置了。
So rather than using context.HttpContext.Response.Headers.Add
, which just adds another header, try using context.HttpContext.Response.Headers.Set
to override the existing value. 因此,不要使用仅添加另一个标头的
context.HttpContext.Response.Headers.Add
,而是尝试使用context.HttpContext.Response.Headers.Set
覆盖现有值。
If you do that, you also want to remove if
condition wrapped around the place you're setting it. 如果这样做,您还想删除条件
if
围绕您要设置的位置缠绕。
So try changing this: 因此,请尝试更改此内容:
if (!context.HttpContext.Response.Headers.ContainsKey("Content-Security-Policy"))
{
context.HttpContext.Response.Headers.Add("Content-Security-Policy", csp);
}
…to just this: …仅此而已:
context.HttpContext.Response.Headers.Set("Content-Security-Policy", csp);
…so that in the end together you have this: …这样最后您就可以拥有:
var csp = "default-src 'self'; style-src https://ajax.aspnetcdn.com"; script-src https://ajax.aspnetcdn.com;
context.HttpContext.Response.Headers.Set("Content-Security-Policy", csp);
And if that doesn't work then you need to find the other place in the backend code where the Content-Security-Policy
header value is getting set, and change it so the value includes style-src https://ajax.aspnetcdn.com"; script-src https://ajax.aspnetcdn.com
. 如果这不起作用,则需要在后端代码中找到设置
Content-Security-Policy
标头值的其他位置,然后对其进行更改,以便该值包含style-src https://ajax.aspnetcdn.com"; script-src https://ajax.aspnetcdn.com
。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.