[英]How to allow the execution of inline event handler in CSP with the 'unsafe-hashes'
We are trying to enable Content Security Policy to prevent XSS, so we put the script-src 'self' in order to avoid inline scripts.我们正在尝试启用内容安全策略来防止 XSS,因此我们将 script-src 设置为“self”以避免内联脚本。 However our application is using a third party javascript library that has inline event handler.
但是,我们的应用程序正在使用具有内联事件处理程序的第三方 javascript 库。
We read that adding the unsafe-hashes attribute with a sha256 hash in order to allow this specific library to execute inline events:我们读到添加带有 sha256 hash 的 unsafe-hashes 属性,以允许该特定库执行内联事件:
We added the following policy in the web.cofig:我们在 web.cofig 中添加了以下策略:
However is giving us the following error in Google Chrome browser console:但是在 Google Chrome 浏览器控制台中给我们以下错误:
maskedinput.js:7 Refused to execute inline event handler because it violates the following Content Security Policy directive: "script-src-attr 'unsafe-hashes' 'sha256-TS+Ok6crNR4qdKYT6T5jwMHjsPdCzbg7dmT0eWCSN20='". maskedinput.js:7 拒绝执行内联事件处理程序,因为它违反了以下内容安全策略指令:“script-src-attr 'unsafe-hashes' 'sha256-TS+Ok6crNR4qdKYT6T5jwMHjsPdCzbg7dmT0eWCSN20='”。 Either the 'unsafe-inline' keyword, a hash ('sha256-...'), or a nonce ('nonce-...') is required to enable inline execution.
启用内联执行需要“不安全内联”关键字、hash(“sha256-...”)或随机数(“nonce-...”)。
Any idea how to avoid inline script, but at the same time allowing this specific library to run inline events.任何想法如何避免内联脚本,但同时允许这个特定的库运行内联事件。
You can use the unsafe-hashes
like so.您可以像这样使用
unsafe-hashes
。 Let's say you have:假设您有:
<button type="button" onclick="alert('Hello World')">Show Alert</button>
then you can use this command to generate your hash:然后您可以使用此命令生成您的 hash:
echo -n "alert('Hello World')" | openssl dgst -sha256 -binary | openssl base64
and then you should use it like:然后你应该像这样使用它:
Content-Security-Policy: script-src 'unsafe-hashes' 'sha256-YOUR_HASH_HERE';
in this case the hash YOUR_HASH_HERE
would be: ztv5rbjekwogmr7erW0rKA6H3gY4jEFwwdz2cl8bk1I=
在这种情况下,hash
YOUR_HASH_HERE
将是: ztv5rbjekwogmr7erW0rKA6H3gY4jEFwwdz2cl8bk1I=
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.