问题描述
在我的asp.net核心应用程序中,对于每个响应,我都添加了内容安全策略标头.我了解对于IE,标头名称为X-Content-Security-Policy,对于其他浏览器(如chrome),其标头名称为Content-Security-Policy
In my asp.net core application for each response i'm adding content security policy header. I understand that for IE, the header name is X-Content-Security-Policy and for other browsers like chrome its Content-Security-Policy
标头值如下所示,其中每个响应的nonce不同.
The header value looks something like below where nonce is different for each response.
default-src 'none';
script-src 'self' 'nonce-somerandomvalue-differnt-foreach-reasone' 'unsafe-eval';
style-src 'self' 'unsafe-inline';
img-src 'self' data:;
font-src 'self';
object-src 'self';
connect-src 'self';
report-uri /csp/report;
该应用程序在少数页面上使用嵌入式javascript.因此,要解决内联脚本违规问题,我在脚本标记中添加了相同的nonce值.<script type="text/javascript" nonce="somerandomvalue-differnt-foreach-reasone">
这里重要的是,现时值需要与标头中的现时值匹配. 此处的一些详细信息
The application is using inline javascript on few pages. So to fix inline-script violation i am adding same nonce value in script tag.<script type="text/javascript" nonce="somerandomvalue-differnt-foreach-reasone">
Important thing here is the nonce value needs to match with the nonce value in header. some details here
我实现了中间件&标记帮助器,将现时值添加到标头&脚本标签.而且我确保在页面呈现时两个nonce值都匹配.
I implemented middleware & tag-helper which adds nonce into header & script tag respectively. And i made sure that both nonce values does match when page renders.
然后仅出于测试目的,我在页面上添加了脚本没有随机数
Then just for testing purpose on a page i added script without nonce
<script type="text/javascript">
$(function () {
alert('i am hacker');
})
</script>
Google chrome检测到此违规行为,并按预期阻止了上述脚本.但是,在IE 11以上版本中,脚本将被执行而没有任何冲突.同样,我确保IE中的标头为X-Content-Security-Policy
Google chrome detects this violation and blocks the above script as expected. However in IE 11 above script gets executed without any violation. Again, I made sure the header in IE is X-Content-Security-Policy
为什么IE 11没有阻止脚本?
Why IE 11 is not blocking script?
推荐答案
IE 11完全不支持使用nonce属性和nonce-源值.
IE 11 doesn’t support use of the nonce attribute and nonce- source value at all.
IE11唯一支持的CSP指令是sandbox指令.它会忽略所有其他CSP指令.
The only CSP directive IE11 supports is the sandbox directive. It ignores all other CSP directives.
因此您只需将'nonce-somerandomvalue-differnt-foreach-reasone'部分从X-Content-Security-Policy标头中完全删除,IE11仍将允许内联脚本.
So you could just completely drop the 'nonce-somerandomvalue-differnt-foreach-reasone' part from your X-Content-Security-Policy header and IE11 will still allow inline scripts.
IE11都将允许内联脚本,除非您让服务器使用X-Content-Security-Policy: sandbox标头发送响应,在这种情况下,它将禁止所有脚本.放松的唯一方法是发送X-Content-Security-Policy: sandbox allow-scripts,但这将允许所有脚本,包括嵌入式脚本.
IE11 will allow inline scripts no matter what you do, unless you have your server send the response with a X-Content-Security-Policy: sandbox header, in which case it will disallow all scripts. And the only way to relax that is to send X-Content-Security-Policy: sandbox allow-scripts, but that will allow all scripts, including inline scripts.
因此,我认为使用IE11不能告诉它只禁止内联脚本.您只能告诉IE11允许所有脚本,也不允许任何脚本.
So I think that with IE11 there’s no way to tell it to disallow just inline scripts. You can only tell IE11 to either allow all scripts, or to allow none.
还请注意:IE11于2013年发布,早于在任何地方指定nonce属性的时间.我认为在nonce属性中指定的第一个CSP规范草案是在2014年的某个时候.
Also note: IE11 was released in 2013, long before the nonce attribute was specified anywhere. I think the first CSP draft spec that the nonce attribute was specified in was some time in 2014.
http://caniuse.com/#feat=contentsecuritypolicy 详细介绍了浏览器对 CSP1指令:
http://caniuse.com/#feat=contentsecuritypolicy has details on browser support for CSP1 directives:
nonce属性是 CSP2功能.请参见 http://caniuse.com/#feat=contentsecuritypolicy2
添加了对nonce和其他CSP2功能的支持在Edge 15中.因此,Edge 14和更早版本不支持nonce或其他CSP2新功能.但是Edge12 +完全支持所有CSP1 .
Support for nonce and other CSP2 features was added in Edge 15. So Edge 14 and earlier have no support for nonce or other new-in-CSP2 features. But Edge12+ has full support for all of CSP1.
这篇关于内容安全策略在Internet Explorer 11中不起作用的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持!