内容安全策略 (CSP) URL 似乎没有任何效果。 仍然举报违规行为
[英]Content-Security-Policy (CSP) URL doesn't seem to have any effect. Still reporting a violation
问题描述
I have a CSP with the following line in it:
我有一个 CSP,其中包含以下行:
script-src 'nonce-{random}' 'unsafe-inline' 'unsafe-eval' 'strict-dynamic' https: http: https://static.cloudflareinsights.com https://mydomain.app/cdn-cgi/scripts/6c4dd986/cloudflare-static/email-decode.min.js;
and I can see that the CSP is correct in the response header for the page.我可以看到 CSP 在页面的响应 header 中是正确的。
I am still getting a [Report Only] Refused to load the script https://mydomain.app/cdn-cgi/scripts/6c4dd986/cloudflare-static/email-decode.min.js error.我仍然收到[Report Only] Refused to load the script https://mydomain.app/cdn-cgi/scripts/6c4dd986/cloudflare-static/email-decode.min.js错误。
Cloudflare is auto-injecting this script tag and so I cannot rely on the strict-dynamic property to cover it for me, nor can I add a nonce. Cloudflare 会自动注入此脚本标签,因此我不能依赖strict-dynamic属性为我覆盖它,也不能添加随机数。
Is this failing because of scrict-dynamic overriding the fixed url in the CSP?这是否因为scrict-dynamic覆盖 CSP 中的固定 url 而失败? We need strict-dynamic within the app, but we also need to allow a custom whitelist url for these situations.我们需要在应用程序中进行严格动态,但我们还需要针对这些情况允许自定义白名单 url。
Any ideas?有任何想法吗?
Edit: Specifically I think the issue is cloudflare here.编辑:具体来说,我认为这里的问题是 cloudflare。 How is it possible to allow cloudflare to inject scripts, while at the same time having strict-dynamic set?如何允许 cloudflare 注入脚本,同时具有严格的动态集? You cannot give cloudflare a nonce, and strict-dynamic will not let you white-list so how is it possible to overcome this?您不能给 cloudflare 一个随机数,而 strict-dynamic 不会让您列入白名单,那么如何克服这个问题呢?
1 个解决方案
解决方案1
0 2022-05-19 22:04:46
If you use strict-dynamic , it ignores the allow-listed domain.如果您使用strict-dynamic ,它会忽略允许列出的域。 That's why that approach isn't working.这就是为什么这种方法行不通的原因。
BTW, you can't use a full URL like http: https://static.cloudflareinsights.com https://mydomain.app/cdn-cgi/scripts/6c4dd986/cloudflare-static/email-decode.min.js anyway. BTW, you can't use a full URL like http: https://static.cloudflareinsights.com https://mydomain.app/cdn-cgi/scripts/6c4dd986/cloudflare-static/email-decode.min.js anyway . You can only use https://static.cloudflareinsights.com https://mydomain.app/cdn-cgi/scripts/6c4dd986/cloudflare-static/ .您只能使用https://static.cloudflareinsights.com https://mydomain.app/cdn-cgi/scripts/6c4dd986/cloudflare-static/ 。
BTW, you may find https://csp-evaluator.withgoogle.com/ helpful for finding problems like that in your CSP.顺便说一句,您可能会发现https://csp-evaluator.withgoogle.com/有助于在您的 CSP 中查找此类问题。 (I'm not affiliated with them. I just think it's useful.) (我不隶属于他们。我只是认为它很有用。)
At the end of the day, Cloudflare is going to need to fix this on their side.归根结底,Cloudflare 需要在他们这边解决这个问题。 They see your CSP in your response.他们会在您的回复中看到您的 CSP。 They need to make use of your nonce.他们需要利用你的 nonce。 They do this sometimes.他们有时会这样做。 If you read https://developers.cloudflare.com/bots/reference/javascript-detections/ , it says, "If your CSP uses a nonce for script tags, Cloudflare will add these nonces to the scripts it injects by parsing your CSP response header."如果您阅读https://developers.cloudflare.com/bots/reference/javascript-detections/ ,它会说:“如果您的 CSP 使用随机数作为脚本标签,Cloudflare 将通过解析您的 CSP 将这些随机数添加到它注入的脚本中响应 header。”
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.