Google的严格CSP 3,style-src?
[英]Google's Strict CSP 3, style-src?
问题描述
Engineers at Google have developed and recommend using a strict CSP: https://csp.withgoogle.com/docs/strict-csp.html 
Google的工程师已经开发并建议使用严格的CSP: https : //csp.withgoogle.com/docs/strict-csp.html
The goal being to only allow scripts which have a nonce. 目标是仅允许具有随机数的脚本。 There is no style-src directive in their CSP, so in our app I am able to load things like google fonts, external css sheets etc. without a nonce. 他们的CSP中没有style-src指令,因此在我们的应用中,我可以加载Google字体,外部CSS表格等内容, 而不会产生随机数。
This seems like a lapse in their CSP, or I'm missing something? 这似乎是他们的CSP失误了,还是我缺少了什么?
1 个解决方案
解决方案1
0 2017-10-11 10:36:27
I think what's happening is that the newer 'strict-dynamic' setting they recommend is allowing the autoloading of some of your dependancies. 我认为正在发生的事情是,他们建议使用较新的“严格动态”设置,以允许自动加载某些依赖项。
The 'strict-dynamic' source expression aims to make Content Security Policy simpler to deploy for existing applications who have a high degree of confidence in the scripts they load directly, but low confidence in their ability to provide a reasonable list of resources to load up front.
It allows scripts which are given access to the page via nonces or hashes to bring in their dependencies without adding them explicitly to the page's policy.
ref: https://w3c.github.io/webappsec-csp/#strict-dynamic-usage 参考: https : //w3c.github.io/webappsec-csp/#strict-dynamic-usage
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.