[英]Sha hash not respected in CSP style-src
I have an ASP.NET web application that makes use of asp-validation-summary
.我有一个使用
asp-validation-summary
的 ASP.NET Web 应用程序。 Because of this an inline style
is added to an HTML element in my page.因此,我的页面中的 HTML 元素中添加了内联
style
。
This gives me the following error in console (Chrome v78.0.3904.108) when I run my application:当我运行我的应用程序时,这在控制台(Chrome v78.0.3904.108)中给了我以下错误:
Refused to apply inline style because it violates the following Content Security Policy directive: "style-src 'self' https://fonts.googleapis.com ".
拒绝应用内联样式,因为它违反了以下内容安全策略指令:“style-src 'self' https://fonts.googleapis.com ”。 Either the 'unsafe-inline' keyword, a hash ('sha256-aqNNdDLnnrDOnTNdkJpYlAxKVJtLt9CtFLklmInuUAE='), or a nonce ('nonce-...') is required to enable inline execution.
启用内联执行需要“unsafe-inline”关键字、哈希(“sha256-aqNNdDLnnrDOnTNdkJpYlAxKVJtLt9CtFLklmInuUAE=')或随机数(“nonce-...”)。
So I added the hash to my CSP, which now looks like this:所以我将哈希添加到我的 CSP 中,现在看起来像这样:
style-src 'self' https://fonts.googleapis.com 'sha256-aqNNdDLnnrDOnTNdkJpYlAxKVJtLt9CtFLklmInuUAE=';
When I load my page I still get a similar error:当我加载我的页面时,我仍然收到类似的错误:
Refused to apply inline style because it violates the following Content Security Policy directive: "style-src 'self' https://fonts.googleapis.com 'sha256-aqNNdDLnnrDOnTNdkJpYlAxKVJtLt9CtFLklmInuUAE='".
拒绝应用内联样式,因为它违反了以下内容安全策略指令:“style-src 'self' https://fonts.googleapis.com 'sha256-aqNNdDLnnrDOnTNdkJpYlAxKVJtLt9CtFLklmInuUAE='”。 Either the 'unsafe-inline' keyword, a hash ('sha256-aqNNdDLnnrDOnTNdkJpYlAxKVJtLt9CtFLklmInuUAE='), or a nonce ('nonce-...') is required to enable inline execution.
启用内联执行需要“unsafe-inline”关键字、哈希(“sha256-aqNNdDLnnrDOnTNdkJpYlAxKVJtLt9CtFLklmInuUAE=')或随机数(“nonce-...”)。
This is the entire CSP header:这是整个 CSP 标头:
X-Content-Security-Policy: default-src 'self'; object-src 'none'; frame-ancestors 'none'; sandbox allow-forms allow-same-origin allow-scripts; base-uri 'self'; upgrade-insecure-requests; style-src 'self' https://fonts.googleapis.com 'sha256-aqNNdDLnnrDOnTNdkJpYlAxKVJtLt9CtFLklmInuUAE='; font-src 'self' https://fonts.gstatic.com;
As you can see I've added the hash, as sugested in the error.正如你所看到的,我已经添加了哈希,正如错误中所暗示的那样。 It also seems to be a valid header .
它似乎也是一个有效的 header 。
But why isn't this working?但为什么这不起作用?
You must add unsafe-hashes
.您必须添加
unsafe-hashes
。
unsafe-hashes
allows to enable specific inline event handlers. unsafe-hashes
允许启用特定的内联事件处理程序。 If you only need to allow inline event handlers and not inline elements or javascript: URLs, this is a safer method compared to using the unsafe-inline expression.如果您只需要允许内联事件处理程序而不是内联元素或 javascript: URL,则与使用 unsafe-inline 表达式相比,这是一种更安全的方法。
Source: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/style-src来源: https : //developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/style-src
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.