使用ASP.NET 4.8的CSP策略
https://csp-evaluator.withgoogle.com/ 显示经典ASP.NET网站i' m处理以下结果:
object-src'none'; img-src“自我”; Script-Src'self';需要信任型“脚本”
,但看起来我的代码都没有使用__dopostback js。这是Web.config的片段:
< rule name =“ csp”> < match servervariable =“ response_content-security-policy” pattern =“。*” /> < action类型=“重写” valuit =“ object-src'none'; img-src'self'; script-src'self'; require-trusted-types-for'script'' /> </rule>
删除require-trusted-types-for和script> script> srcs-src stanzas stanzas使JS再次工作,但也使该站点易于攻击XSS。
有人知道解决方案吗?我已经尝试过script-src url-of-base-site'`
这个看起来很有希望的,但在requiend-code-trusted-types-for'script'';还不是什么?当我评论从自定义标题中的最后一个标签时,似乎是内联脚本开始工作的。但是我最多可以在obsvatory上得到b- b- mozilla.org
https://csp-evaluator.withgoogle.com/ shows the classic ASP.net site I'm working on with the following results:
object-src 'none'; img-src 'self'; script-src 'self'; require-trusted-types-for 'script'
but it looks like none of my code that uses __DoPostback JS are working. Here's a snippet from web.config:
<rule name="CSP"> <match serverVariable="RESPONSE_Content-Security-Policy" pattern=".*" /> <action type="Rewrite" value="object-src 'none'; img-src 'self'; script-src 'self'; require-trusted-types-for 'script'" /> </rule>
Removing the require-trusted-types-for and script-src stanzas makes the JS work again, but also makes the site vulnerable to XSS.
Anyone aware of a solution? I've tried script-srcurl-of-base-site'`
This one looked promising but may be old enough where require-trusted-types-for 'script'; wasn't a thing yet? When I commented that last tag out of the custom headers, seems like inline scripts starting working; but I am getting at best a B- on observatory.mozilla.org
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(1)
设置“脚本 - src'self'”时,所有执行脚本都必须从同一源中加载.js文件。您的网站并不特别容易受到如此强大的脚本SRC的XSS。
如果某些第三方代码导致CSP问题,则基本上必须对其进行修改或如果您不想更改CSP,则必须将其替换。在您的情况下,我会对“脚本src'self'”感到满意,而宁愿投入时间来确保其他问题,即使CSP评估者说我的政策不是最佳的。
When setting "script-src 'self'" all executing scripts must be loaded in .js files from the same source. Your site is not particularly vulnerable to XSS with such a strong script-src.
If some third party code causes issues with CSP you basically have to modify it or replace it if you want if you don't want to change the CSP. In your case I would be happy with "script-src 'self'" and rather invest time into securing something else, even though a CSP evaluator says my policy isn't optimal.