CSP style-src:登陆页面中的“unsafe-inline”
[英]CSP style-src: 'unsafe-inline' in a landing page
问题描述
I use the Webflow tool to set up my website.
我使用 Webflow 工具来设置我的网站。 I export the code to host it on my server.我导出代码以将其托管在我的服务器上。
I have set up the Content-Security-Policy header.我已经设置了Content-Security-Policy标头。
Problem : most of the styles are inline.问题:大多数样式都是内联的。 I can't add the hash for all of them, there are too many ...我无法为所有这些添加哈希,有太多...
Is it so dangerous to put unsafe inline on style-src ?在 style-src 上放置 unsafe inline 有那么危险吗?
Note that this is a 99.9% static site (just a contact form).请注意,这是一个 99.9% 的静态站点(只是一个联系表格)。
Thank you for your help!谢谢您的帮助!
1 个解决方案
解决方案1
0 2022-06-02 08:20:28
The dangers of 'unsafe-inline' in style-src are discussed here: https://scotthelme.co.uk/can-you-get-pwned-with-css/这里讨论了 style-src 中“不安全内联”的危险: https ://scotthelme.co.uk/can-you-get-pwned-with-css/
If you can restrict the rest of your CSP, the dangers will be limited, but there will always be someone who disagrees.如果您可以限制 CSP 的其余部分,则危险将是有限的,但总会有人不同意。 If it is technically possible you could use nonces, as you could use the same nonce for all tags, but change it on every pageload.如果技术上可行,您可以使用 nonce,因为您可以对所有标签使用相同的 nonce,但在每次页面加载时更改它。 It seems like you don't want or can extract all the CSS to a separate file, which would of course be the simplest solution.似乎您不想或可以将所有 CSS 提取到单独的文件中,这当然是最简单的解决方案。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.