Content-Security-Policy头部将“inline”脚本称为“unsafe”是为什么?

huangapple go评论65阅读模式
英文:

Why does Content-Security-Policy header calls "inline" scripts "unsafe"?

问题

必须设置 Content-Security-Policy 标头为...

object-src 'none'

...以便在没有依赖项(包含内联脚本)的单个 HTML 页面上运行 <script> 标签。

为什么内联脚本被认为不安全?

MDN 表示 内联脚本被排除,但没有说明原因,参考文档 中也是一样。

英文:

Had to set Content-Security-Policy header to...

default-src https: &#39;unsafe-inline&#39;;
object-src &#39;none&#39;

... for a single html page with no dependencies (with inline scripts) to run the &lt;script&gt; tag.

Why is inline considered unsafe?

MDN says inline are excluded but it doesn't say why, same in reference.

答案1

得分: 2

CSP 可以防止跨站脚本注入。

如果用户能够注入<script>标签或onclick,因为您忘记转义用户输入,CSP 将阻止 JavaScript 运行。

出于安全考虑,最好完全避免内联脚本,这样您可以说:“在我的 HTML 主体中出现的任何内容都是不应该的,应该被阻止”,这绝对是一个推荐的做法。

英文:

CSP protects against XSS injections.

If a user is able to inject a &lt;script&gt; tag or onclick, because you forgot to escape user-input CSP will prevent that Javascript from running.

So for security purposes it can be good to just avoid any inline scripts altogether, so you can say: "Anything appearing in my HTML body is unintentional and should be blocked", and this is definitely a recommended practice.

huangapple
  • 本文由 发表于 2023年2月19日 08:48:51
  • 转载请务必保留本文链接:https://go.coder-hub.com/75497325.html
匿名

发表评论

匿名网友

:?: :razz: :sad: :evil: :!: :smile: :oops: :grin: :eek: :shock: :???: :cool: :lol: :mad: :twisted: :roll: :wink: :idea: :arrow: :neutral: :cry: :mrgreen:

确定