问题
I'm using Apache 2.4 and I'm trying to implement Content Security Policy. I have set the following header in my httpd.conf
Header set Content-Security-Policy "default 'none'; script-src 'self'"
Now, I have inline javascript code using script tag inside html, as
<script>alert('Do something here')</script>
Note that script tag contains meaningful JS code, not this alert stuff I have put for sample purposes.
Now, Content Security Policy blocks such inline scripts. One way to whitelist these is to compute SHA hash for the aforementioned script and explicitly pass it in header as
Header set Content-Security-Policy "default 'none'; script-src 'self' sha256-dhfds73748=="
This allows the script to run.
Now I can generate SHAs for these type of scripts at build time using grunt.
But do I have to manually set these inside Apache httpd.conf as I make changes to these scripts and then manually restart my Apache HTTP Server?
Can I set this value at runtime inside Apache config?
Please note that I don't want to move the such code to a separate js file
and then call it via <script src="path/to/my/file.js"></script> unless it is the only way possible.
回答1:
Is this for static html or is this a web application? If it's a web application, a dynamic policy is fairly easy. It it's a static site using some sort of templating (e.g. Jekyll) you can use the csp meta tags to easily update a policy.
If neither is true above, I'll have to defer to those with specific Apache experience. I don't think managing meta tags over many static pages is a good approach.
来源:https://stackoverflow.com/questions/38776717/use-content-security-policy-scipt-src-sha-feature-with-apache-http-server