[英]Understanding connect-src, script-src and style-src when everything is loaded dynamically
I am a little confused with the directives available with Content Security Policy Header .我对内容安全策略 Header提供的指令有点困惑。 Mainly confused with
connect-src
, script-src
and style-src
主要与
connect-src
、 script-src
和style-src
混淆
I have a javascript, which sends Fetch
, Ajax
(on the same domain) and dynamically loads a link tag that has a stylesheet.我有一个 javascript,它发送
Fetch
, Ajax
(在同一域中)并动态加载具有样式表的链接标记。
If I have to get my script whitelisted on a domain, should this be part of all connect-src
, script-src
and style-src
?如果我必须让我的脚本在域中列入白名单,这应该是所有
connect-src
、 script-src
和style-src
一部分吗? I am a little confused here.我在这里有点困惑。
To make it clearer, there is a script at https://example.com
which loads, sends data from https://example.com
and loads stylesheet sitting at https://some-another-domain.com
.为了更清楚,在
https://example.com
处有一个脚本,它从https://example.com
加载、发送数据,并加载位于https://some-another-domain.com
的样式表How should the content security policy reflect this?内容安全策略应如何反映这一点? Should
connect-src
, script-src
and style-src
include both the domains? connect-src
、 script-src
和style-src
是否应该包括这两个域?
Could someone help clarify this?有人可以帮忙澄清一下吗?
Each directive should contain only sources which it covers (controls).每个指令应仅包含它涵盖的来源(控制)。
connect-src
directive covers the URLs from which resources can be loaded using following script API interfaces(see the test ): connect-src
指令涵盖了可以使用以下脚本 API 接口从中加载资源的 URL(请参阅测试):<a ping='...'>
fetch()
XMLHttpRequest()
sendBeacon()
WebSocket()
(hence ws:
/ wss:
scheme can be specified in connect-src
/ default-src
only) WebSocket()
(因此ws:
/ wss:
scheme 只能在connect-src
/ default-src
中指定)EventSource()
Therefore if you perform XMLHttpRequest('https://example.com/ajax')
or use jQuery $ajax('https://example.com/ajax')
which internally calls XMLHttpRequest() , you need to allow the https://example.com
in the connect-src
:因此,如果您执行
XMLHttpRequest('https://example.com/ajax')
或使用内部调用XMLHttpRequest()的 jQuery $ajax('https://example.com/ajax')
,则需要允许https://example.com
在connect-src
中:
connect-src https://example.com;
Similarly if you use fetch('https://google.com/api/json')
, you need to add this host-source to the connect-src
:同样,如果您使用
fetch('https://google.com/api/json')
,则需要将此主机源添加到connect-src
:
connect-src https://example.com https://google.com/api/;
and so on for all 6 the APIs above.以上所有 6 个 API 依此类推。
<script src='http://example.com/script.js'></script>
.<script src='http://example.com/script.js'></script>
加载外部脚本。 You need to allow relevant host-sources in the script-src
for that.script-src
中允许相关的主机源。 Alternatively 'nonce-value'
/ 'hash-value'
token can be used.'nonce-value'
/ 'hash-value'
令牌。<script>...</script>
.<script>...</script>
。 You need to use 'unsafe-inline'
or 'nonce-value'/'hash-value' tokens in the script-src
to allow such scripts.script-src
中使用'unsafe-inline'
或“nonce-value”/“hash-value”标记以允许此类脚本。eval()
, setTimeout()
, setInterval()
, Function()
, setImmediate()
, execScript()
funct calls are gated on the 'unsafe-eval'
source expression. eval()
、 setTimeout()
、 setInterval()
、 Function()
、 setImmediate()
、 execScript()
函数调用在'unsafe-eval'
源表达式上被限制。 If you use those you need to have 'unsafe-eval'
in the script-src
(with some exceptions for setTimeout()
/ setInterval()
).script-src
中有'unsafe-eval'
( setTimeout()
/ setInterval()
有一些例外)。<a href='javascript:...'>
.<a href='javascript:...'>
这样的 javascript-URL。<div onblur='...'>
, <input onclick='...'>
.<div onblur='...'>
、 <input onclick='...'>
等标签中内联事件处理程序。*
for last 2 things you need to have 'unsafe-inline' in the script-src
directive or use unsafe-hashes
+ 'hash-value'
tokens paired (supported with some bugs as for now). *
对于最后两件事,您需要在script-src
指令中包含“unsafe-inline”或使用unsafe-hashes
+ 'hash-value'
标记配对(目前支持一些错误)。<link href='http://example.com/min/css.css' rel='stylesheet'>
.<link href='http://example.com/min/css.css' rel='stylesheet'>
请求样式表。 In this case you need to add http://example.com
host-source to the style-src
directive.http://example.com
host-source 添加到style-src
指令。@import url('https://example.com/style_import.css')
@import url('https://example.com/style_import.css')
的样式表请求Link: https://example.com/file.css; rel=stylesheet
Link: https://example.com/file.css; rel=stylesheet
Link: https://example.com/file.css; rel=stylesheet
. Link: https://example.com/file.css; rel=stylesheet
。<style>...</style>
.<style>...</style>
。 You need to have 'unsafe-inline'
or 'nonce-value'
/ 'hash-value'
in the style-src
to allow these.style-src
中包含'unsafe-inline'
或'nonce-value'
/ 'hash-value'
以允许这些。<tag style='color:green; margin:0 auto;'>
<tag style='color:green; margin:0 auto;'>
<tag style='color:green; margin:0 auto;'>
. <tag style='color:green; margin:0 auto;'>
。 You need to have 'unsafe-inline'
in the style-src
to allow these.style-src
中包含'unsafe-inline'
才能允许这些。 Or use paired the 'unsafe-hashes'
+ 'hash-value'
(is not widely supported as for now).'unsafe-hashes'
+ 'hash-value'
(目前还没有得到广泛支持)。*
JS call setAttribute('style', 'display:none;')
is considered as <tag style='display:none;'>
above. *
JS 调用setAttribute('style', 'display:none;')
被认为是上面的<tag style='display:none;'>
。CSSStyleSheet.insertRule()
, CSSGroupingRule.insertRule()
, CSSStyleDeclaration.cssText
and CSSStyleRule.selectorText
was intended to be gated to 'unsafe-eval'
in the style-src
, but it's not implemented yet.CSSStyleSheet.insertRule()
、 CSSGroupingRule.insertRule()
、 CSSStyleDeclaration.cssText
和CSSStyleRule.selectorText
的目的是在style-src
中使用'unsafe-eval'
,但尚未实现。 Any usage of the above constructs (even via script calls) requires to allow relevant sources or tokens in the styler-src
directive.上述结构的任何使用(即使通过脚本调用)都需要在
styler-src
指令中允许相关的来源或标记。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.