英文:
Why does Content-Security-Policy header calls "inline" scripts "unsafe"?
问题
必须设置 Content-Security-Policy 标头为...
object-src 'none'
...以便在没有依赖项(包含内联脚本)的单个 HTML 页面上运行 <script> 标签。
为什么内联脚本被认为不安全?
MDN 表示 内联脚本被排除,但没有说明原因,参考文档 中也是一样。
英文:
Had to set Content-Security-Policy header to...
default-src https: 'unsafe-inline';
object-src 'none'
... for a single html page with no dependencies (with inline scripts) to run the <script> tag.
Why is inline considered unsafe?
MDN says inline are excluded but it doesn't say why, same in reference.
答案1
得分: 2
CSP 可以防止跨站脚本注入。
如果用户能够注入<script>标签或onclick,因为您忘记转义用户输入,CSP 将阻止 JavaScript 运行。
出于安全考虑,最好完全避免内联脚本,这样您可以说:“在我的 HTML 主体中出现的任何内容都是不应该的,应该被阻止”,这绝对是一个推荐的做法。
英文:
CSP protects against XSS injections.
If a user is able to inject a <script> tag or onclick, because you forgot to escape user-input CSP will prevent that Javascript from running.
So for security purposes it can be good to just avoid any inline scripts altogether, so you can say: "Anything appearing in my HTML body is unintentional and should be blocked", and this is definitely a recommended practice.
通过集体智慧和协作来改善编程学习和解决问题的方式。致力于成为全球开发者共同参与的知识库,让每个人都能够通过互相帮助和分享经验来进步。
评论