CORS环境中违反内容安全政策
[英]Content Security Policy violation in CORS environment
问题描述
I have an angular 2 client, a resource server and an authentication server. 
我有一个angular 2客户端,一个资源服务器和一个身份验证服务器。 Everything was running smoothly till I came to screeching halt this afternoon 一切运行顺利,直到今天下午我叫停
here is an image of the error I am getting 这是我得到的错误的图像
Let me add that I have seen several issues relating to this and have tried almost all the solutions prescribed to no avail 让我补充说,我已经看到了与此有关的几个问题,并且尝试了几乎所有规定的解决方案都无济于事
I also have the following class that is suppose to provide me cover from this policy violation 我还开设了以下课程,旨在为我提供本次违反政策的保障
public class SecurityHeadersAttribute : ActionFilterAttribute
{
public override void OnResultExecuting(ResultExecutingContext context)
{
var result = context.Result;
if (result is ViewResult)
{
if (!context.HttpContext.Response.Headers.ContainsKey("X-Content-Type-Options"))
{
context.HttpContext.Response.Headers.Add("X-Content-Type-Options", "nosniff");
}
if (!context.HttpContext.Response.Headers.ContainsKey("X-Frame-Options"))
{
context.HttpContext.Response.Headers.Add("X-Frame-Options", "SAMEORIGIN");
}
var csp = "default-src 'self'";
// once for standards compliant browsers
if (!context.HttpContext.Response.Headers.ContainsKey("Content-Security-Policy"))
{
context.HttpContext.Response.Headers.Add("Content-Security-Policy", csp);
}
// and once again for IE
if (!context.HttpContext.Response.Headers.ContainsKey("X-Content-Security-Policy"))
{
context.HttpContext.Response.Headers.Add("X-Content-Security-Policy", csp);
}
}
}
}
It however appears like after upgrading "Microsoft.AspNetCore.Mvc.Core" from version 1.1.2 to 1.1.3 my cover has been blown. 但是,将“ Microsoft.AspNetCore.Mvc.Core”从版本1.1.2升级到1.1.3之后,我的封面被炸了。 How can I get round this challenge? 我如何应对这个挑战?
1 个解决方案
解决方案1
1 2017-05-28 01:17:48
Your CSP policy needs to allow content from https://ajax.aspnetcdn.com . 您的CSP策略需要允许来自https://ajax.aspnetcdn.com内容。 So try changing this: 因此,请尝试更改此内容:
var csp = "default-src 'self'";
…to this: …对此:
var csp = "default-src 'self'; style-src https://ajax.aspnetcdn.com"; script-src https://ajax.aspnetcdn.com;
But based on the error message cited in the question, it seems the Content-Security-Policy header value is getting set already somewhere other than in that part of your application code. 但是根据问题中引用的错误消息,似乎Content-Security-Policy标头值已经在应用程序代码的该部分以外的地方设置了。
So rather than using context.HttpContext.Response.Headers.Add , which just adds another header, try using context.HttpContext.Response.Headers.Set to override the existing value. 因此,不要使用仅添加另一个标头的context.HttpContext.Response.Headers.Add ,而是尝试使用context.HttpContext.Response.Headers.Set覆盖现有值。
If you do that, you also want to remove if condition wrapped around the place you're setting it. 如果这样做,您还想删除条件if围绕您要设置的位置缠绕。
So try changing this: 因此,请尝试更改此内容:
if (!context.HttpContext.Response.Headers.ContainsKey("Content-Security-Policy"))
{
context.HttpContext.Response.Headers.Add("Content-Security-Policy", csp);
}
…to just this: …仅此而已:
context.HttpContext.Response.Headers.Set("Content-Security-Policy", csp);
…so that in the end together you have this: …这样最后您就可以拥有:
var csp = "default-src 'self'; style-src https://ajax.aspnetcdn.com"; script-src https://ajax.aspnetcdn.com;
context.HttpContext.Response.Headers.Set("Content-Security-Policy", csp);
And if that doesn't work then you need to find the other place in the backend code where the Content-Security-Policy header value is getting set, and change it so the value includes style-src https://ajax.aspnetcdn.com"; script-src https://ajax.aspnetcdn.com . 如果这不起作用,则需要在后端代码中找到设置Content-Security-Policy标头值的其他位置,然后对其进行更改,以便该值包含style-src https://ajax.aspnetcdn.com"; script-src https://ajax.aspnetcdn.com 。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.