问题
I'm looking for a good way to implement a relatively strong Content-Security-Policy header for my ASP.NET WebForms application. I'm storing as much JavaScript as possible in files instead of inline, but by default, WebForms injects a lot of inline script for things as simple as form submission and basic AJAX calls.
MVC has some simple ways to implement nonces, especially with the help of third party libraries like NWebsec, but I can't seem to find any methods of implementing them with WebForms. I wouldn't even have a problem using hashes if there were a way to predict and retrieve the hash for each .NET injected script tag.
I hate allowing the 'unsafe-inline' value. It feels wrong needing to turn off such a powerful security feature. Is there a reasonable way to implement it in WebForms?
回答1:
I had the same problem and sad to say this was the best we have done. We basically identified what we use and don't use. We even had to put unsafe eval in some of them because we were using third party controls that couldn't work without it. What we get at least is avoiding calls to external url.
default-src 'self';
child-src 'self' 'unsafe-inline' 'unsafe-eval';
object-src 'none';
script-src 'self' 'unsafe-inline' 'unsafe-eval' https://www.google-analytics.com;
img-src 'self' https://www.google-analytics.com;
style-src 'self' 'unsafe-inline'
来源:https://stackoverflow.com/questions/35851651/content-security-policy-in-asp-net-webforms