问题
New to Content Security Policy stuff so not sure if this is possible or not, but wondering how to add a hash or nonce for some inline script within a HTML element's attribute.
For example:
<form method="post" onsubmit="function();">
Gives me the following CSP error in Google Chrome:
Refused to execute inline event handler because it violates the following Content Security Policy directive: "script-src 'self'. Either the 'unsafe-inline' keyword, a hash ('sha256-...'), or a nonce ('nonce-...') is required to enable inline execution.
I've tried hashing just the script e.g. function(); as well as onsubmit="function" and neither work. I tried adding a nonce to the form element but that didn't help.
If needed I can move the event binding outside of the element attribute, just curious if there is a way to adhere to a CSP with the above.
来源:https://stackoverflow.com/questions/50842033/csp-hash-or-nonce-for-inline-js-within-attribute