[英].Net Core 'asp-append-version' interfering with CSP nonces in Umbraco 9
I have a very simple TagHelper which will add the current CSP nonce to a specified tag.我有一个非常简单的 TagHelper,它将当前的 CSP 随机数添加到指定的标签。
This is all working fine until I start using asp-append-version
along with it, at which point the browser begins complaining that the script is blocked:在我开始使用
asp-append-version
之前,这一切都很好,此时浏览器开始抱怨脚本被阻止:
[Report Only] Refused to load the script because it violates the following Content Security Policy directive: "script-src 'strict-dynamic' 'nonce-7TYX/FgHsrvHOORSEBRB3h0e'". [仅限报告] 拒绝加载脚本,因为它违反了以下内容安全策略指令:“script-src 'strict-dynamic' 'nonce-7TYX/FgHsrvHOORSEBRB3h0e'”。 Note that 'strict-dynamic' is present, so host-based allowlisting is disabled.
请注意,存在“strict-dynamic”,因此禁用了基于主机的白名单。 Note that 'script-src-elem' was not explicitly set, so 'script-src' is used as a fallback.
请注意,未明确设置“script-src-elem”,因此“script-src”用作后备。
When I view the page source I can see that my nonce is correctly applied however we end up with two src
attributes which doesn't seem right to me:当我查看页面源代码时,我可以看到我的 nonce 已正确应用,但是我们最终得到两个
src
属性,这对我来说似乎不正确:
<script src="/web/scripts/main.js?v=K0HDUmKd22yWAqRgrnhcGk69aHiFH8qUh2kPLDSbV0c"
src="/web/scripts/main.js"
nonce="GLBtUe54MABq4Ld2Wtznf8P2"></script>
Could this be the issue?这可能是问题所在吗? I see two attributes, even without the custom tag helper (have also tried unregistering ALL custom tag helpers in the system and I still face this issue).
我看到两个属性,即使没有自定义标签助手(也尝试在系统中注销所有自定义标签助手,但我仍然面临这个问题)。
It won't even work with a static hardcoded nonce (no tag helper at all).它甚至不能与 static 硬编码随机数一起使用(根本没有标签助手)。
Example script reference:示例脚本参考:
<script asp-append-version="true" asp-add-nonce="true" src="/web/scripts/main.js"></script>
TagHelper class:标签助手 class:
[HtmlTargetElement("script", Attributes = "asp-add-nonce")]
public class NonceTagHelper : TagHelper
{
private readonly ILogger<NonceTagHelper> logger;
private readonly ICspNonceBuilder cspNonceBuilder;
public NonceTagHelper(ILogger<NonceTagHelper> logger, ICspNonceBuilder cspNonceBuilder)
{
this.logger = logger;
this.cspNonceBuilder = cspNonceBuilder;
}
[HtmlAttributeName("asp-add-nonce")]
public bool AddNonce { get; set; }
public override void Process(TagHelperContext context, TagHelperOutput output)
{
if (!this.AddNonce)
{
return;
}
var nonce = this.cspNonceBuilder.GetRequestNonce();
output.Attributes.SetAttribute("nonce", nonce);
}
}
This all starts working fine if I remove asp-append-version
- output:如果我删除
asp-append-version
- output,这一切都会开始正常工作:
<script nonce="GLBtUe54MABq4Ld2Wtznf8P2" type="module" src="/web/scripts/main.js"></script>
But I'd like to keep using this if possible.但如果可能的话,我想继续使用它。 What am I missing?
我错过了什么? I'm not sure its the custom tag helper as the issue is reproduceable without it (hardcoded nonce).
我不确定它是自定义标签助手,因为没有它(硬编码随机数)问题是可以重现的。
I've found the issue.我发现了问题。 Umbraco 9 includes a bundling and minification package as standard https://github.com/Shazwazza/Smidge :
Umbraco 9 包括一个捆绑和缩小 package 作为标准https://github.com/Shazwazza/Smidge :
@addTagHelper *, Smidge
@inject Smidge.SmidgeHelper SmidgeHelper
Smidge is including some taghelpers which target the src
attribute on <script>
tags. Smidge 包括一些以
<script>
标签上的src
属性为目标的标签助手。
Seems like it's duplicating the entire attribute:似乎它在复制整个属性:
https://github.com/Shazwazza/Smidge/blob/master/src/Smidge/TagHelpers/SmidgeScriptTagHelper.cs#L48 https://github.com/Shazwazza/Smidge/blob/master/src/Smidge/TagHelpers/SmidgeScriptTagHelper.cs#L48
// Pass through attribute that is also a well-known HTML attribute.
// this is required to make sure that other tag helpers executing against this element have
// the value copied across
if (Source != null)
{
output.CopyHtmlAttribute("src", context);
}
Removing this from the solution resolves the issue.从解决方案中删除它可以解决问题。
Edit* This has now been patched and will be releasing with version 4.1.0编辑*现在已经修补并将与版本 4.1.0 一起发布
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.