堆栈内存溢出
  简体   繁体   English

禁止页面上的内联脚本

[英]Prohibit inline script on page

 原文  2013-01-18 12:22:17       javascript/ cross-browser

问题描述

Is there any way to prohibit the browser to execute inline scripts (code placed directly on page, not in external resource, ie event handlers, script blocks etc.) for certain page by specifying some HTTP header, policy on server or similar? 是否可以通过在服务器上指定一些HTTP标头,策略或类似方法来禁止浏览器对某些页面执行内联脚本(代码直接放置在页面上,而不放置在外部资源中,即事件处理程序,脚本块等)? I'm looking for some universal solution: cross-browser and HTTP server agnostic. 我正在寻找一些通用的解决方案:跨浏览器和HTTP服务器不可知。

2 个解决方案

解决方案1
 0  2013-01-18 12:35:45

Basically, this is called XSS filtering and a simple answer would be to prevent it's input OR if any went through, not to render them at all . 基本上,这就是所谓的XSS过滤,一个简单的答案是防止输入,或者根本不进行渲染 There are a lot of ways to do this, and libraries to help you as well depending on the platform. 有很多方法可以做到这一点,库也可以根据平台提供帮助。

On the entry-point, you should be filtering them. 在入口点,您应该对其进行过滤。 Submissions from clients should be filtered always. 来自客户的提交应始终进行过滤。 This is called XSS filtering. 这称为XSS过滤。

On the rendering side, you should do something like html_entities if you want to escape special characters, especially from user input, into the page. 在呈现方面,如果要将特殊字符(尤其是来自用户输入的特殊字符)转义到页面中,则应该执行类似html_entities的操作。

All of these are done on the server. 所有这些都在服务器上完成。

解决方案2
 0 已采纳  2013-01-18 21:41:31

After a lot of googling and some discussions with colleges I have finally found the solution - Content Security Policy (good article describing the concept - "An introduction to Content Security Policy" was written by Mike West). 经过大量的搜索和与大学的讨论,我终于找到了解决方案- 内容安全策略 (描述概念的好文章- “内容安全策略简介”由Mike West撰写)。 Right now it is on Candidate Recomendation stage in W3C but the most popular browsers already supports it (unfortunately support in IE version < 10). 目前,它在W3C中处于候选推荐阶段,但是最受欢迎的浏览器已经支持它(不幸的是,在IE版本<10中支持)。

It does exactly what I was looking for: 它正是我想要的:

  • it's an response HTTP header so it's sever agnostic 这是一个响应HTTP标头,因此与服务器无关
  • it's (more or less...) cross-browser (或多或少...)跨浏览器
  • it can prohibit the browser from executing inline scripts (with directive unsafe-inline ) or eval ( unsafe-eval ; eval is evil) and introduces many useful restrictions (from browser security point of view) 它可以禁止浏览器执行内联脚本(使用指令unsafe-inline )或eval( unsafe-eval ; eval是邪恶的),并引入许多有用的限制(从浏览器安全的角度出发)

暂无
暂无

声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.

相关问题 页面内的内联 jQuery 脚本 - Inline jQuery script inside the page Javascript禁止访问直接在浏览器中键入的页面 - Javascript Prohibit access to a page that is directly typed in the browser 页面上的所有iframe加载完毕后,顶部的内嵌脚本会执行 - Inline script at the top executes after all the iframes on page have loaded 在没有内联脚本的 Shopify 结帐页面上通过地理位置隐藏元素? - Hiding an element by geolocation on Shopify Checkout page without inline script? 如何在第二个内联脚本中的 HTML 页面上使用 javascript 模块 - How to use javascript module on an HTML page in a second inline script 脚本和内联脚本的 SetTimeOut - SetTimeOut for script and inline script 拒绝加载内联脚本 - Refused to load inline script Apps 脚本 - 内联图像 - Apps Script - inline Images html 上的内联脚本不起作用? - Inline script on html not working? 将内联脚本添加到WordPress页面上后,Visual Composer无法加载 - Visual Composer doesn't load after inline script was added to the page on WordPress
相关标签
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM