怎么做使GWT产品严格的CSP可以兼容?
[英]What to do to make GWT product Strict CSP Comapatible?
问题描述
I have made a web app in gwt, CSP Mitigator is saying that, I have many eval statements and javascript uri's in js loaded, so my project is not Strict CSP Compatible . 
我在gwt中创建了一个Web应用程序,CSP Mitigator说,我在js中加载了很多eval语句和javascript uri,所以我的项目不是Strict CSP Compatible。
But problem in my case is that, I write code in java and gwwt make js for me. 但在我的情况下的问题是,我用java编写代码,gwwt为我编写js。
I also asked gwt community, but they says that in next release of gwt, csp compliance will be covered. 我还问过gwt社区,但是他们说在下一个gwt版本中,将涵盖csp合规性。
But till then, Do anyone knows, how can I solve this vulnerability . 但在此之前,有谁知道,我该如何解决这个漏洞。
2 个解决方案
解决方案1
4 已采纳 2017-12-21 06:31:39
已发布gwt 2.8.2,即csp合规性。
解决方案2
1 2018-04-03 10:15:36
Not entirely out of box, just improved CSP support in gwt-2.8.2. 并非完全开箱即用,只是改进了gwt-2.8.2中的CSP支持。
For instance GWT compiled js includes data URLs such as data:image/gif;base64.. and will violate img-src 'self'; 例如,GWT编译的js包括数据URL,例如data:image / gif; base64 ..并且会违反img-src'self';
It is awkward including such URLs in CSP. 在CSP中包含此类URL很尴尬。 More worse using img-src 'self' data:; 更糟糕的是使用img-src'self'数据: as hackers can inject anything in data scheme. 因为黑客可以在数据方案中注入任何东西。
This can be turned off in module gwt.xml. 这可以在模块gwt.xml中关闭。 Disable the use of data: URLs 禁用数据:URL
<set-property name="ClientBundle.enableInlining" value="false" />
There are also pending CSP issues where GWT code base still uses eval that require unsafe-eval in CSP declarations. 还存在未决的CSP问题,其中GWT代码库仍然使用在CSP声明中需要不安全eval的eval。
Additionally, this is an issue since it violates CSP, as eval isn't particularly safe, and some sites would like to forbid its use to further protect their data and their users.
https://github.com/gwtproject/gwt/issues/9578 https://github.com/gwtproject/gwt/issues/9578
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.