[英]CSP safe usage of 'unsafe-inline' 'unsafe-eval'
I'm backend developer helping with a web server deployment for a frontend team, while I was researching vulnerabilites I came across Content Security Policy, if I set up the CSP header this "Content-Security-Policy: default-src 'self' data: {own_domain_1} {own_domain_2}", the website doesn't work, the frontend team tells me that adding 'unsafe-inline' and 'unsafe-eval' will not pose a threat since the domains where the data is being loaded from are our own but I have not come across any kind of documentation that make that claim, is it true?, and if not, can you point me to the documentation so I can bring it to my superiors.我是后端开发人员,正在帮助前端团队部署 web 服务器,同时我正在研究我遇到的内容安全策略的漏洞,如果我设置 CSP header 这个“内容安全策略:默认源代码‘自我’数据: {own_domain_1} {own_domain_2}",网站不工作,前端团队告诉我添加 'unsafe-inline' 和 'unsafe-eval' 不会造成威胁,因为从中加载数据的域是我们自己的,但我没有遇到任何提出这种说法的文件,是真的吗?如果不是,你能指出我的文件,这样我就可以把它带给我的上级。 Thanks in advance.
提前致谢。
It's definitely better if you can avoid unsafe-inline and unsafe-eval.如果可以避免 unsafe-inline 和 unsafe-eval,那肯定会更好。
The usual cause for seeing/needing unsafe-inline is having inline styles or style tags on the page.看到/需要不安全内联的通常原因是页面上有内联 styles 或样式标签。 Move all that to your css files and use only classes.
将所有内容移至您的 css 文件并仅使用类。
And unless there is an EXTREMELY STRONG CASE FOR IT , you should not permit unsafe-eval.除非有一个非常有力的理由,否则你不应该允许 unsafe-eval。 And even if you find this extremely strong case, you should ask yourself whether this feature is truly necessary.
即使你发现这个非常强大的案例,你也应该问问自己这个功能是否真的有必要。
Both of these open serious vulnerabilities, not just from 3rd party users, but from your own employees - don't just trust 'em because they tell you to.这两个公开的严重漏洞,不仅来自第 3 方用户,还来自您自己的员工 - 不要仅仅因为他们告诉您而信任他们。 Script injection is a serious security concern.
脚本注入是一个严重的安全问题。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.