作者:ranger | 来源:互联网 | 2022-12-02 17:26
我不得不将CSP添加到具有内联样式的页面,并避免使用unsafe-inline
我正在使用哈希.我添加哈希的技巧只是在Chrome中加载页面,查看错误消息并复制所有建议的哈希值(例如从中
获取Refused to apply inline style because it violates the following Content Security Policy directive: "style-src ...". Either the 'unsafe-inline' keyword, a hash (''), or... is required to enable inline execution.
).
这解决了Firefox中的问题,但在Chrome中没有.奇怪的是,Chrome似乎并不尊重它本身产生的哈希值.这导致了一个有趣的情况,即Chrome列出包含哈希的策略,表示它不符合,然后建议我添加一个哈希,它在之前打印的策略中.
我的政策:
default-src 'none'; font-src 'self' data:; img-src 'self'; script-src 'self' 'report-sample'; style-src 'self' 'sha256-/3kWSXHts8LrwfemLzY9W0tOv5I4eLIhrf0pT8cU0WI=' 'sha256-47DEQpj8HBSa+/TImW+5JCeuQeRkm5NMpJWZG3hSuFU=' 'sha256-OTeu7NEHDo6qutIWo0F2TmYrDhsKWCzrUgGoxxHGJ8o=' 'sha256-fviu5RwuBYFcCd5CDanhy6NCLufcwvCAbm061aSqhoQ=' 'sha256-wS7xf+bhXBr5EM064hQkAW0vX3ks5VoxbGn+KQC/Vhk=' 'sha256-cxL35Ug49Sl1zHMOdz/r0xinQ6BYGgClHdDCk2XPTzE='; object-src 'self'; connect-src 'self'
这会导致许多错误,例如:
Refused to apply inline style because it violates the following Content Security Policy directive: "style-src 'self' 'sha256-/3kWSXHts8LrwfemLzY9W0tOv5I4eLIhrf0pT8cU0WI=' 'sha256-47DEQpj8HBSa+/TImW+5JCeuQeRkm5NMpJWZG3hSuFU=' 'sha256-OTeu7NEHDo6qutIWo0F2TmYrDhsKWCzrUgGoxxHGJ8o=' 'sha256-fviu5RwuBYFcCd5CDanhy6NCLufcwvCAbm061aSqhoQ=' 'sha256-wS7xf+bhXBr5EM064hQkAW0vX3ks5VoxbGn+KQC/Vhk=' 'sha256-cxL35Ug49Sl1zHMOdz/r0xinQ6BYGgClHdDCk2XPTzE='". Either the 'unsafe-inline' keyword, a hash ('sha256-/3kWSXHts8LrwfemLzY9W0tOv5I4eLIhrf0pT8cU0WI='), or a nonce ('nonce-...') is required to enable inline execution.
其中Chrome建议我添加一个已存在于策略中的哈希.
可能有一些特定于Chrome的问题,我很遗憾.任何想法可能是什么?
1> Petr Srníček..:
我假设您在样式属性中拥有内联样式(与内联
This should be red - style from element.
This should not be green - style from attribute should be disallowed even though its hash is included in style-src in CSP.