内容安全策略阻止 Angular 样式
[英]Content Security Policy blocks Angular Styles
问题描述
I want to publish a web application with a strict Content Security Policy.
我想发布一个具有严格内容安全策略的 Web 应用程序。 The last remaining issue is: style-src 'self';最后剩下的问题是: style-src 'self';
I get an error in the browser console saying that a resource was blocked from loading based on the style-src directive in the CSP.我在浏览器控制台中收到一条错误消息,指出根据 CSP 中的 style-src 指令阻止加载资源。 The error references code in the main..js file that is produced from ng build --prod .错误引用了从ng build --prod生成的 main..js 文件中的代码。
If I add 'unsafe-inline' to the style-src directive in the CSP, everything works fine, however, I do not want to do this.如果我向 CSP 中的style-src指令添加'unsafe-inline' ,则一切正常,但是,我不想这样做。
Is there anything I can do in my code or build option to make the web application work with the more restrictive CSP?我可以在我的代码或构建选项中做些什么来使 Web 应用程序与更严格的 CSP 一起工作?
I was using Angular 11 and just upgraded to 12 and have the same error.我使用的是 Angular 11,刚刚升级到 12 并出现相同的错误。
Thanks!谢谢!
2 个解决方案
解决方案1
1 2021-07-20 20:25:09
Options for resolution:分辨率选项:
1. Use SHA-256 hashes 1. 使用 SHA-256 哈希
If there is a relatively small amount of such violations, you can add their hashes.如果此类违规的数量相对较少,则可以添加其哈希值。 Example, if you see this in your log:例如,如果您在日志中看到此内容:
Refused to apply inline style because it violates the following Content Security Policy directive: "style-src 'self' 'report-sample'". Either the 'unsafe-inline' keyword, a hash ('sha256-YpcdPia2p132TdnpnY8zwrWWSqByEKGZBY5iqsLBkSg='), or a nonce ('nonce-...') is required to enable inline execution. Note that hashes do not apply to event handlers, style attributes and javascript: navigations unless the 'unsafe-hashes' keyword is present.
Add 'sha256-YpcdPia2p132TdnpnY8zwrWWSqByEKGZBY5iqsLBkSg=' You may also need 'unsafe-hashes' - depending on the context.添加'sha256-YpcdPia2p132TdnpnY8zwrWWSqByEKGZBY5iqsLBkSg='您可能还需要'unsafe-hashes' - 取决于上下文。 Note: This approach is not easy to sustain.注意:这种方法不容易维持。 A small change in a style will force you to recreate the hash.样式的微小变化将迫使您重新创建哈希。 It's useful only when you have a handful of such inline scripts.只有当您拥有少量此类内联脚本时,它才有用。
2. Nonces 2. 随机数
You can use nonces to "bless" inline styles and approve them.您可以使用随机数来“祝福”内联样式并批准它们。 However, even Google experts who advocate for CSP nonces don't usually deploy them on style-src - only on script-src .然而,即使是提倡 CSP nonce 的 Google 专家通常也不会将它们部署在style-src ——只部署在script-src 。 Note: This approach is hard to deploy.注意:这种方法很难部署。 A unique nonce needs to be generated for every pageload.需要为每个页面加载生成一个唯一的随机数。
3. Use 'unsafe-inline' - it's fine for style-src (not great for script-src ) 3. 使用'unsafe-inline' - 对style-src很好(对script-src不好)
Really, even setting a CSP with style-src 'unsafe-inline' 'self' someurl.com;真的,甚至使用style-src 'unsafe-inline' 'self' someurl.com;设置 CSP style-src 'unsafe-inline' 'self' someurl.com; is much safer than 99.9% of sites.比 99.9% 的网站安全得多。 More than accounts.google.com that does not restrict style-src at all.超过accounts.google.com不限制style-src的。 Github have a fantastic high quality CSP with style-src: 'unsafe-inline' Github有一个很棒的高质量 CSP,带有style-src: 'unsafe-inline'
Good luck!祝你好运!
解决方案2
1 2021-07-21 03:01:46
If I add
'unsafe-inline'to thestyle-srcdirective in the CSP, everything works fine, however, I do not want to do this.style-src指令添加'unsafe-inline',则一切正常,但是,我不想这样做。
Looks like that's impossible at the moment.目前看来这是不可能的。 According to Angular's support thread at Github, an allowing 'unsafe-inline' in style-src is required for Angular applications (have a look at "Suggested Steps" 1. "We should clearly state that allowing 'unsafe-inline' in style-src is required for Angular applications.").根据 Angular 在 Github 上的支持线程, Angular 应用程序需要在 style-src 中允许 'unsafe-inline' (查看“建议步骤”1。“我们应该清楚地说明在样式中允许 'unsafe-inline'- Angular 应用程序需要 src。”)。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.