英文:
Apply CSP on PrimeFaces project
问题
我正在尝试在一个PrimeFaces项目上应用CSP。我有一个名为three.js的javascript文件,我想将它包含在白名单中。
<script src="three.js" nonce="123"></script>
我已经在web.xml中定义了以下内容:
<context-param><!-- 启用CSP -->
<param-name>primefaces.CSP</param-name>
<param-value>true</param-value>
</context-param>
<context-param>
<param-name>primefaces.CSP_POLICY</param-name>
<param-value>script-src 'self' 'nonce-123'</param-value>
</context-param>
然而,当我这样做时,我检查了Content Security Policy头部,我能够看到两个头部,一个是默认策略,另一个是将three.js添加到白名单的策略。然而,它实际上并没有添加到白名单中,我得到的结果与只有以下内容时相同:
<context-param><!-- 启用CSP -->
<param-name>primefaces.CSP</param-name>
<param-value>true</param-value>
</context-param>
然而,如果我只使用第二个语句,也就是:
<context-param>
<param-name>primefaces.CSP_POLICY</param-name>
<param-value>script-src 'self' 'nonce-123'</param-value>
</context-param>
我就无法获得Content Security Policy头部。
我应该获得一个Content Security Policy头部,并且three.js应该添加到CSP的白名单中。
英文:
I a tryinng to apply CSP on a PrimeFaces project. I have a javascript file three.js, and i would like include it on a whitelist.
<script src="three.js" nonce="123"></script>
I already defined my web.xml
<context-param><!-- Enabling CSP -->
<param-name>primefaces.CSP</param-name>
<param-value>true</param-value>
</context-param>
<context-param>
<param-name>primefaces.CSP_POLICY</param-name>
<param-value>script-src 'self' 'nonce-123'</param-value>
</context-param>
However when i do this, then i check the header Content Security Policy and i am able to see two, the default policy and the policy that include three.js to whitelist. However, it is not really added to the with list and i get the same result that i get if i just have:
<context-param><!-- Enabling CSP -->
<param-name>primefaces.CSP</param-name>
<param-value>true</param-value>
</context-param>
However, if i just use the second statement, i means:
<context-param>
<param-name>primefaces.CSP_POLICY</param-name>
<param-value>script-src 'self' 'nonce-123'</param-value>
</context-param>
i am not getting the header Content Security Policy.
I should be getting a header Content Security Policy and three.js should be added to the while list od CSP.
答案1
得分: 2
我只能通过添加'unsafe-eval'来解决这个问题,但是在我看来,这应该是最后的选择。
<!-- 开始代码片段: js 隐藏: false 控制台: true Babel: false -->
<!-- 语言: lang-html -->
<context-param>
<param-name>primefaces.CSP</param-name>
<param-value>true</param-value>
</context-param>
<context-param>
<param-name>primefaces.CSP_POLICY</param-name>
<param-value>script-src 'unsafe-eval' 'self' 'nonce-123'</param-value>
</context-param>
<!-- 结束代码片段 -->
如果有人知道更好的方法,那就太棒了。
英文:
I could solve the issue just adding 'unsafe-eval', however, in my opinion it should be the last option.
<!-- begin snippet: js hide: false console: true babel: false -->
<!-- language: lang-html -->
<context-param>
<param-name>primefaces.CSP</param-name>
<param-value>true</param-value>
</context-param>
<context-param>
<param-name>primefaces.CSP_POLICY</param-name>
<param-value>script-src 'unsafe-eval' 'self' 'nonce-123'</param-value>
</context-param>
<!-- end snippet -->
It would be great if somebody know a better way.
通过集体智慧和协作来改善编程学习和解决问题的方式。致力于成为全球开发者共同参与的知识库,让每个人都能够通过互相帮助和分享经验来进步。
评论