[英]What is the correct way to load a script with the 'strict-dynamic' CSP directive?
The idea of the Content Security Policy was to tell web-browsers what content to load from where. 内容安全策略的想法是告诉Web浏览器从哪里加载哪些内容。 This means that attackers should not be able to inject their own code if, for example,
'unsafe-inline'
was not explicitly allowed (which is not the best thing to do). 这意味着攻击者不应该注入自己的代码,例如,如果没有明确允许
'unsafe-inline'
(这不是最好的事情)。
Google also released a CSP Evaluator , which is designed to find possible mistakes in your policy. 谷歌还发布了一个CSP评估器 ,旨在发现您的策略可能出现的错误。 With the default settings, the tool recommends using the
'strict-dynamic'
policy for 'script-src'
. 使用默认设置,该工具建议对
'script-src'
使用'strict-dynamic'
策略。 The idea behind it is that you write a loader for whichever JavaScript sourcees you require and forbid everything else. 它背后的想法是你为任何你需要的JavaScript源代码编写一个加载器,并禁止其他所有。
What is considered the "correct" way to implement such a loader? 什么被认为是实现这种装载机的“正确”方式? Should the loader be written yourself (see below for example) or should a tool be used to create such a loader?
是否应该自己编写加载程序(例如参见下文)或者是否应该使用工具来创建这样的加载程序? (Please note that this question is not asking for a specific tool recommendation)
(请注意,这个问题不是要求特定的工具建议)
var imported = document.createElement('script');
imported.src = '/path/to/imported/script';
document.head.appendChild(imported);
My website currently has the following policy: 我的网站目前有以下政策:
default-src 'none';
img-src 'self';
style-src 'self' https://stackpath.bootstrapcdn.com 'sha256-bviLPwiqrYk7TOtr5i2eb7I5exfGcGEvVuxmITyg//c=';
script-src https://use.fontawesome.com https://code.jquery.com https://cdnjs.cloudflare.com https://stackpath.bootstrapcdn.com;
base-uri 'none';
form-action 'none';
frame-ancestors 'none';
Google's tool suggested the following: 谷歌的工具建议如下:
Host whitelists can frequently be bypassed.
主机白名单经常被绕过。 Consider using
'strict-dynamic'
in combination with CSP nonces or hashes.考虑将
'strict-dynamic'
与CSP nonce或hashes结合使用。
As such, I want to implement a loader to load these JS frameworks and I want to know how to best approach this issue. 因此,我想实现一个加载器来加载这些JS框架,我想知道如何最好地解决这个问题。
An immediate answer is that as long as the script you're dynamically loading ( /path/to/imported/script
) is hosted in a domain that you've already whitelisted in script-src
, you don't have to modify your CSP or change your loader -- everything will work as expected. 一个直接的答案是,只要你动态加载的脚本(
/path/to/imported/script
)托管在你已经在script-src
列入白名单的域中,你就不必修改你的CSP了。或更改您的装载机 - 一切都将按预期工作。
However, a broader problem is that your script-src
whitelist includes domains that host Javascript which can be used by an attacker who finds a markup injection bug in your application to bypass your CSP. 但是,更广泛的问题是您的
script-src
白名单包含托管Javascript的域,攻击者可以使用这些域在您的应用程序中发现标记注入错误以绕过您的CSP。 For example, https://cdnjs.cloudflare.com
hosts Angular ( https://cdnjs.cloudflare.com/ajax/libs/angular.js/1.7.2/angular.min.js
) which can be used by an attacker to convert an HTML injection into arbitrary script execution ( here is a paper about this). 例如,
https://cdnjs.cloudflare.com
托管Angular( https://cdnjs.cloudflare.com/ajax/libs/angular.js/1.7.2/angular.min.js
),可供攻击者使用将HTML注入转换为任意脚本执行( 这是一篇关于此的文章)。
The suggestion in the CSP Evaluator tool is to switch your application to rely on a script-src
which uses CSP nonces instead of the whitelist. CSP Evaluator工具中的建议是将应用程序切换为依赖于使用CSP nonce而不是白名单的
script-src
。 To do this you would need to follow the process outlined at https://csp.withgoogle.com/docs/strict-csp.html -- basically, make sure that every <script>
element has a correct nonce
attribute which changes for every page load, or instead use CSP3 hashes for static scripts. 为此,您需要按照https://csp.withgoogle.com/docs/strict-csp.html中列出的流程进行操作 - 基本上,确保每个
<script>
元素都具有正确的nonce
属性,该属性会随之更改页面加载,或者使用静态脚本的CSP3哈希 。
Your CSP would then look like: 您的CSP将如下所示:
... script-src 'nonce-[random-value]' 'strict-dynamic' 'unsafe-inline' https:; ...
If you use 'strict-dynamic'
, your script loader does not have to change because browsers will automatically trust scripts added to your page via programmatic APIs such as appendChild()
. 如果使用
'strict-dynamic'
,则不必更改脚本加载器,因为浏览器会自动信任通过编程API(如appendChild()
添加到页面的脚本。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.