HTTP Content-Security-Policy header 对于 Struts 中的 script-src 无法正常工作
[英]HTTP Content-Security-Policy header not working correctly for script-src in Struts
问题描述
I have a problem updating my version of struts struts2-core-2.5.30 project to struts2-core-6.1.1 so I began to receive an error indicating that the security policies have been violated, doing some research, I found that a header should be added
我在将我的 struts struts2-core-2.5.30 项目版本更新到 struts2-core-6.1.1 时遇到问题,所以我开始收到一条错误消息,表明违反了安全策略,做了一些研究,我发现一个 header应该加上
[Report Only] Refused to load the script '<URL>' because it violates the following Content Security Policy directive: "script-src 'nonce-MOz6w31eaDHGUDfV__K8LEZ1' 'strict-dynamic' http: https:". Note that 'strict-dynamic' is present, so host-based allowlisting is disabled. Note that 'script-src-elem' was not explicitly set, so 'script-src' is used as a fallback.
and inside this error i have this description在这个错误里面我有这个描述
[Report Only] Refused to load the script 'http://localhost:8080/Portal/html/js/jquery/jquery-1.8.3.min.js' because it violates the following Content Security Policy directive: "script-src 'nonce-MOz6w31eaDHGUDfV__K8LEZ1' 'strict-dynamic' http: https:". Note that 'strict-dynamic' is present, so host-based allowlisting is disabled. Note that 'script-src-elem' was not explicitly set, so 'script-src' is used as a fallback.
[Report Only] Refused to load the script 'http://localhost:8080/Portal/html/js/jquery/jquery-ui.1.10.4.min.js' because it violates the following Content Security Policy directive: "script-src 'nonce-MOz6w31eaDHGUDfV__K8LEZ1' 'strict-dynamic' http: https:". Note that 'strict-dynamic' is present, so host-based allowlisting is disabled. Note that 'script-src-elem' was not explicitly set, so 'script-src' is used as a fallback.
however I have tried these headers但是我已经尝试过这些标题
<meta http-equiv="Content-Security-Policy" content="default-src 'self'">
<meta http-equiv="Content-Security-Policy" content="default-src *;
style-src * 'unsafe-inline'; script-src * 'unsafe-inline'
'unsafe-eval'; img-src * data: 'unsafe-inline'; connect-src *
'unsafe-inline'; frame-src *;">
<meta http-equiv="Content-Security-Policy" content="default-src 'nonce-rAnd0m'">
<script src="${pageContext.request.contextPath}/html/js/jquery/jquery-1.8.3.min.js" type="text/javascript" nonce="rAnd0m123"></script>
with each of them I get the same error, In my previous version of struts it did not ask me for any of this对于它们中的每一个,我都会遇到同样的错误,在我以前的 struts 版本中,它没有要求我提供任何这些
have also tried to make an interceptor to add the corresponding directives, however it has not worked for me either.还尝试制作一个拦截器来添加相应的指令,但是它对我也没有用。
import com.opensymphony.xwork2.ActionContext;
import com.opensymphony.xwork2.ActionInvocation;
import com.opensymphony.xwork2.interceptor.AbstractInterceptor;
import javax.servlet.http.HttpServletResponse;
import org.apache.struts2.StrutsStatics;
public class SessionInterceptor extends AbstractInterceptor{
private static final long serialVersionUID = 1L;
public String intercept(ActionInvocation invocation) throws Exception {
ActionContext ac = invocation.getInvocationContext();
HttpServletResponse response = (HttpServletResponse) ac.get(StrutsStatics.HTTP_RESPONSE);
//HttpServletResponse response = ServletActionContext.getResponse();
response.addHeader("X-Frame-Options", "SAMEORIGIN");
response.addHeader("Content-Security-Policy-Report-Only", "default-src 'self'; script-src 'self' 'unsafe-inline'; object-src 'none'; style-src 'self' 'unsafe-inline'; img-src 'self'; media-src 'none'; frame-src 'none'; font-src 'self'; connect-src 'self'; report-uri REDACTED");
response.addHeader("X-Content-Security-Policy-Report-Only", "default-src 'self'; script-src 'self' 'unsafe-inline'; object-src 'none'; style-src 'self' 'unsafe-inline'; img-src 'self'; media-src 'none'; frame-src 'none'; font-src 'self'; connect-src 'self'; report-uri REDACTED");
return invocation.invoke();
}
}
In the same way I have updated the jquery-1.8.3 version as suggested in the comments but it has not worked for me either以同样的方式,我按照评论中的建议更新了 jquery-1.8.3 版本,但它对我也没有用
3 个解决方案
解决方案1
1 2023-01-24 05:45:56
The content of your policies and the one in the error message don't match, and while you are adding "Content-Security-Policy", the error message is for "Content-Security-Policy-Report-Only".您的策略内容与错误消息中的内容不匹配,当您添加“Content-Security-Policy”时,错误消息是针对“Content-Security-Policy-Report-Only”的。 This means that there is another header present, and you are adding another.这意味着存在另一个 header,而您正在添加另一个。 Adding another can only make the policy stricter.添加另一个只能使策略更严格。 The report only version of Content-Security-Policy doesn't actually block anything, and must be set as a response header. You should identify where this header is set and modify it as needed. Content-Security-Policy 的仅报告版本实际上不会阻止任何内容,并且必须设置为响应 header。您应该确定此 header 的设置位置并根据需要进行修改。
Additionally you should replace jquery-1.8.3 with a recent version that doesn't have known vulnerabilities.此外,您应该将 jquery-1.8.3 替换为没有已知漏洞的最新版本。
解决方案2
0 2023-01-26 23:18:08
It has been a very long time without using Struts: please, forgive me for any inaccuracy.很长时间没有使用 Struts:请原谅我的任何不准确之处。
Struts provides support for Content-Security-Policy since version 6.x . Struts 从6.x 版本开始提供对Content-Security-Policy支持。
The functionality is implemented primarily in CspInterceptor .该功能主要在CspInterceptor中实现。
This interceptor is configured by providing a convenient default implementation of CspSettings .此拦截器通过提供CspSettings的便捷默认实现来配置。
This interceptor is included by default in the Struts configuration .这个拦截器默认包含在Struts 配置中。 As you can see in the linked resource and in the documentation by default is configured in report only, non enforcing mode:正如您在链接资源和文档中看到的那样,默认情况下配置为仅报告,非强制模式:
<interceptor-ref name="csp">
<param name="disabled">false</param>
<param name="enforcingMode">false</param>
</interceptor-ref>
I reviewed the current source code of the library and the companion documentation and it seems that providing a custom CSP configuration to CspInterceptor is not possible right now.我查看了库的当前源代码和配套文档,现在似乎无法为CspInterceptor提供自定义 CSP 配置。
That means that in order to mitigate your error one possibility will be to disable the CspInterceptor and provide your own.这意味着为了减轻您的错误,一种可能性是禁用CspInterceptor并提供您自己的。 The Struts documentation provides guidance about how it could be accomplished. Struts 文档提供了有关如何完成它的指导。 In your case, I think it should look like similar to the following:在您的情况下,我认为它应该类似于以下内容:
<action name="myAction" class="myActionClass">
<interceptor-ref name="defaultStack">
<param name="csp.disabled">true</param>
</interceptor-ref>
</action>
In addition, in the commit I cited at the beginning of the answer they mention the components and corresponding tags s:link and s:script as a possible way for fetching the required CSS and Javascript resources taking into account the CSP settings.此外,在我在答案开头引用的提交中,他们提到了组件和相应的标签s:link和s:script作为获取所需 CSS 和 Javascript 资源的可能方式,同时考虑了 CSP 设置。 Please, consider review for instance this page in the showcase they provide as example, reproduced here for convenience:请考虑在他们提供的展示柜中查看此页面,例如,为方便起见在此处转载:
<%@taglib prefix="s" uri="/struts-tags" %>
<html lang="en">
<head>
<meta http-equiv="X-UA-Compatible" content="IE=edge">
<meta charset="utf-8">
<meta name="viewport" content="width=device-width, initial-scale=1">
<meta name="description" content="Struts2 Showcase for Apache Struts Project">
<meta name="author" content="The Apache Software Foundation">
<title><decorator:title default="Struts2 Showcase"/></title>
<s:url var="bootstrapCss" value='/styles/bootstrap.css' encode='false' includeParams='none'/>
<s:link href="%{bootstrapCss}" rel="stylesheet" type="text/css" media="all"/>
<s:url var="mainCss" value='/styles/main.css' encode='false' includeParams='none'/>
<s:link href="%{mainCss}" rel="stylesheet" type="text/css" media="all"/>
<s:url var="jqueryJs" value='/js/jquery-2.1.4.min.js' encode='false' includeParams='none'/>
<s:script src="%{jqueryJs}"/>
<s:url var="bootstrapJs" value='/js/bootstrap.min.js' encode='false' includeParams='none'/>
<s:script src="%{bootstrapJs}"/>
<s:script type="text/javascript">
$(function () {
var alerts = $('ul.alert').wrap('<div />');
alerts.prepend('<a class="close" data-dismiss="alert" href="#">×</a>');
alerts.alert();
});
</s:script>
<!-- Prettify -->
<s:url var="prettifyCss" value='/styles/prettify.css' encode='false' includeParams='none'/>
<s:link href="%{prettifyCss}" rel="stylesheet"/>
<s:url var="prettifyJs" value='/js/prettify.js' encode='false' includeParams='none'/>
<s:script src="%{prettifyJs}"/>
<!-- Le HTML5 shim, for IE6-8 support of HTML5 elements -->
<!--[if lt IE 9]>
<s:script src="http://html5shim.googlecode.com/svn/trunk/html5.js"/>
<![endif]-->
<s:script>
jQuery(document).ready(function() { prettyPrint(); } );
</s:script>
<decorator:head/>
</head>
解决方案3
0 2023-01-31 23:11:36
I was also struggling with the new Content Security Policy interceptor.我也在为新的内容安全策略拦截器而苦苦挣扎。 We had to temporarily disable it since Struts doesn't really provide any way to configure it yet and all of those browser console error / CSP reports are really unacceptable.我们不得不暂时禁用它,因为 Struts 还没有真正提供任何配置它的方法,而且所有这些浏览器控制台错误/CSP 报告确实是不可接受的。
At least for me, in order to disable it across all of my actions in struts.xml I needed to reference "cspInterceptor" instead of "csp" as follows:至少对我来说,为了在 struts.xml 中的所有操作中禁用它,我需要引用“cspInterceptor”而不是“csp”,如下所示:
<interceptor-ref name="defaultStack" >
<param name="cspInterceptor.disabled">true</param>
</interceptor-ref>
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.