[英]MVC Ajax.BeginForm and Content Security Policy
為了防止跨腳本編寫,我對我的一個應用程序實施了CSP。 目前,我正在重新配置所有html類,以便javascript始終來自我的服務器。
現在,我找到了一個帶有Ajax.BeginForm
的頁面,並始終收到錯誤“ Refused to evaluate a string as JavaScript because 'unsafe-eval' is not an allowed source of script in the following Content Security Policy directive: "script-src 'self'".
如果我要提交表單並更新視圖,則為Refused to evaluate a string as JavaScript because 'unsafe-eval' is not an allowed source of script in the following Content Security Policy directive: "script-src 'self'".
”。
誰能幫助我,問題出在哪里?
這是我的html類(簡稱):
UserInformation.cshtml:
<div id="OpenAccountInformation">@Html.Action("OpenAccountInformation")</div>
</div>
AccountInformation.cshtml:
@Scripts.Render("~/Scripts/bundles/ManageUsers/AccountInformation")
@model Tumormodelle.Models.ViewModels.AzaraUserModel
<input type="hidden" value="@ViewBag.Editable" id="EditableUserInformation">
<div id="Editable">
@using (Ajax.BeginForm("EditUser", "ManageUsers", new AjaxOptions { InsertionMode = InsertionMode.Replace, UpdateTargetId = "OpenAccountInformation", HttpMethod = "post", }))
{
@Html.AntiForgeryToken()
@Html.HiddenFor(m => m.UserID)
<div>
<div>
@Html.LabelFor(m => m.Username, new { @class = "entryFieldLabel" })
</div>
</div>
<div>
<div>
<button name="button" value="save" class="formbutton" id="saveButton">save</button>
<button name="button" value="cancel" class="formbutton" id="cancelButton">cancel</button>
</div>
}
</div>
<div id="NonEditable">
<div>
<div>
@Html.LabelFor(m => m.Username, new { @class = "entryFieldLabel" })
</div>
</div>
<div>
<div>
<button name="button" value="edit" class="formbutton" id="editButton" type="button">edit</button>
</div>
</div>
</div>
和c#方法:
public ActionResult EditUser(AzaraUserModel AzaraUserModel, string button)
{
if (button == Tumormodelle.Properties.Resources.Save)
{
if (ModelState.IsValid)
{
azaraUserManagement.Update(AzaraUserModel.Username, AzaraUserModel.Title, AzaraUserModel.FirstName, AzaraUserModel.LastName, AzaraUserModel.EMailAddress, null, AzaraUserModel.Phone, AzaraUserModel.UserID, (byte)AzaraUserModel.ShowMail.ID);
ViewBag.Message = Tumormodelle.Properties.Resources.Personal_Data_Changed;
ViewBag.Editable = true;
}
else ViewBag.Editable = false;
BindShowMailList();
return PartialView("AccountInformation", AzaraUserModel);
}
else
{
return RedirectToAction("OpenAccountInformation", "ManageUsers");
}
}
public ActionResult UserInformation()
{
return View("UserInformation");
}
public PartialViewResult OpenAccountInformation()
{
AzaraUserModel AzaraUserModel = new AzaraUserModel(azaraUserManagement.GetSingle(AzaraSession.Current.UserComparison.GetUser().Id));
BindShowMailList();
ViewBag.Editable = true;
return PartialView("AccountInformation", AzaraUserModel);
}
編輯:我發現在Chrome調試器的幫助下,在提交表單的那一刻引發了錯誤。
Ajax.BeginForm
將在頁面的生成的HTML中生成內聯腳本,但您在內容安全策略中使用script-src 'self'
不允許這樣做。
如果要使用CSP阻止任何內聯注入的腳本,則必須改用Html.BeginForm
並添加JavaScript以通過Ajax在外部.js
文件中提交此腳本。
嘗試將此屬性添加到控制器后操作
[ValidateInput(false)]
聲明:本站的技術帖子網頁,遵循CC BY-SA 4.0協議,如果您需要轉載,請注明本站網址或者原文地址。任何問題請咨詢:yoyou2525@163.com.