CSP-当动态放置页面元素时,如何解决style-src unsafe-inline
[英]CSP - How to solve style-src unsafe-inline -when having dynamically positioned page elements
问题描述
In our app code we allow some objects to drag and drop around the page. 
在我们的应用程序代码中,我们允许一些对象在页面上拖放。 Also we have things like popups that need to be positioned below buttons and dialogs that we position in the page ect. 此外,我们还需要将弹出窗口等内容放置在我们在页面等中放置的按钮和对话框的下方。
To do so we need to allow the following inline css properties 为此,我们需要允许以下内联css属性
- z-index z-index的
- top, bottom, left, right 上,下,左,右
- height, width 高度宽度
We cant really make classes for this, imagine left for example could be 0 to 20000 so we would need millions of classes. 我们不能为此真正地创建类,想象一下例如剩下的可能是0到20000,因此我们将需要数百万个类。
I cant see any way other than inline css. 除了嵌入式CSS,我看不到其他任何方式。
So to solve for CSP ( https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP ) then that means we need to fully allow style-src: unsafe-inline 因此,要解决CSP( https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP ),则意味着我们需要完全允许style-src: unsafe-inline
I'm sure this is a common scenario. 我敢肯定这是常见的情况。 What do people do about this case? 人们对这种情况怎么办? We also use veracode to scan our software so im thinking we just "mitagate" this by explaining that we only allow a set of inline css attributes. 我们还使用veracode扫描软件,因此我认为我们只是通过解释说仅允许一组内联CSS属性来“缓解”这种情况。
But i would think maybe CSP should allow a certain subset of dynamic css attributes. 但是我认为也许CSP应该允许动态CSS属性的某些子集。
Has anyone encountered this and have any thoughts? 有没有人遇到过这个想法?
2 个解决方案
解决方案1
3 已采纳 2018-07-30 11:23:04
When you write CSS to elements via JavaScript using the CSSOM, it's not the same as literally writing style=“...”; 当您使用CSSOM通过JavaScript将CSS写入元素时,这与从字面上编写style =“ ...”并不相同。 rather, you are directly manipulating the DOM [correction: the CSSOM]. 而是直接操作DOM [更正:CSSOM]。 CSP allows these types of styles even when not allowing unsafe-inline styles. 即使不允许不安全的内联样式,CSP仍允许这些类型的样式。
(See here for an example. You don't want to add a literal “style” attribute to the element, but use the CSSOM — https://stackoverflow.com/a/29089970/339440 ) (请参见此处的示例。您不想在元素上添加文字“ style”属性,而是使用CSSOM- https: //stackoverflow.com/a/29089970/339440)
解决方案2
0 2018-07-27 20:33:03
Unfortunately, there's currently no "clean" way of doing this. 不幸的是,目前还没有“干净”的方法。 CSP doesn't currently have any way of inspecting style attributes to determine if they're safe; CSP目前尚无任何检查style属性以确定其是否安全的方法。 it's unclear that this is possible at all, as almost any CSS attribute could be used to create misleading or otherwise unintended content on a site. 尚不清楚这是否有可能,因为几乎所有CSS属性都可用于在网站上创建误导性或其他意外内容。
The options I see are: 我看到的选项是:
Use a CSP nonce to allow inline
styleattributes on selected elements.使用CSP nonce允许在选定元素上使用内联style属性。 This is similar tounsafe-inline, but more selective (and hence a bit safer).这类似于unsafe-inline,但是更具选择性(因此更安全)。When CSS
attr()is implemented in all common browsers, you :在所有常见浏览器中实现CSS attr(),您:/* ATTENTION: This is not a working example; see below */ .position-by-attr { left: attr(data-left px); top: attr(data-top px); }<div class="position-by-attr" left="123" top="456"> … </div>However, note that this feature is not currently implemented in any browser .
但是,请注意, 当前没有在任何浏览器中实现此功能 。 It is present in the CSS3 specification, but has not been implemented. 它存在于CSS3规范中,但尚未实现。 It may be years (if ever) before it is practically usable. 实际上可能要过几年(如果有的话)。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.