[英]CSP hash or nonce for inline JS within attribute
New to Content Security Policy stuff so not sure if this is possible or not, but wondering how to add a hash or nonce for some inline script within a HTML element's attribute.内容安全策略的新手,所以不确定这是否可能,但想知道如何在 HTML 元素的属性中为某些内联脚本添加哈希或随机数。
For example:例如:
<form method="post" onsubmit="function();">
Gives me the following CSP error in Google Chrome:在 Google Chrome 中给我以下 CSP 错误:
Refused to execute inline event handler because it violates the following Content Security Policy directive: "script-src 'self'. Either the 'unsafe-inline' keyword, a hash ('sha256-...'), or a nonce ('nonce-...') is required to enable inline execution.
拒绝执行内联事件处理程序,因为它违反了以下内容安全策略指令:“script-src 'self'。'unsafe-inline' 关键字、哈希('sha256-...')或随机数(' nonce-...') 是启用内联执行所必需的。
I've tried hashing just the script eg function();
我试过只对脚本进行哈希处理,例如
function();
as well as onsubmit="function"
and neither work.以及
onsubmit="function"
都不起作用。 I tried adding a nonce to the form element but that didn't help.我尝试向表单元素添加一个随机数,但这没有帮助。
If needed I can move the event binding outside of the element attribute, just curious if there is a way to adhere to a CSP with the above.如果需要,我可以将事件绑定移到元素属性之外,只是好奇是否有办法遵循上述 CSP。
Go to your endpoint where your content is being blocked.转到您的内容被阻止的端点。 Check out the console on your browser.
在浏览器上查看控制台。 Your browser will notify the content which is being blocked, and it will also give you the hash you have to use to unblock that content via CSP.
您的浏览器将通知被阻止的内容,它还会为您提供用于通过 CSP 取消阻止该内容的哈希值。
Source: https://www.troyhunt.com/locking-down-your-website-scripts-with-csp-hashes-nonces-and-report-uri/来源: https : //www.troyhunt.com/locking-down-your-website-scripts-with-csp-hashes-nonces-and-report-uri/
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.