应用CSP在PrimeFaces项目中

huangapple go评论70阅读模式
英文:

Apply CSP on PrimeFaces project

问题

我正在尝试在一个PrimeFaces项目上应用CSP。我有一个名为three.js的javascript文件,我想将它包含在白名单中。

<script src="three.js" nonce="123"></script>

我已经在web.xml中定义了以下内容:

<context-param><!-- 启用CSP -->
    <param-name>primefaces.CSP</param-name>
    <param-value>true</param-value>
</context-param>

<context-param>
    <param-name>primefaces.CSP_POLICY</param-name>
    <param-value>script-src 'self' 'nonce-123'</param-value>
</context-param>

然而,当我这样做时,我检查了Content Security Policy头部,我能够看到两个头部,一个是默认策略,另一个是将three.js添加到白名单的策略。然而,它实际上并没有添加到白名单中,我得到的结果与只有以下内容时相同:

<context-param><!-- 启用CSP -->
    <param-name>primefaces.CSP</param-name>
    <param-value>true</param-value>
</context-param>

然而,如果我只使用第二个语句,也就是:

<context-param>
    <param-name>primefaces.CSP_POLICY</param-name>
    <param-value>script-src 'self' 'nonce-123'</param-value>
</context-param>

我就无法获得Content Security Policy头部。

我应该获得一个Content Security Policy头部,并且three.js应该添加到CSP的白名单中。

英文:

I a tryinng to apply CSP on a PrimeFaces project. I have a javascript file three.js, and i would like include it on a whitelist.

&lt;script src="three.js" nonce="123"&gt;&lt;/script&gt;

I already defined my web.xml

&lt;context-param&gt;&lt;!-- Enabling CSP --&gt;
    &lt;param-name&gt;primefaces.CSP&lt;/param-name&gt;
    &lt;param-value&gt;true&lt;/param-value&gt;
&lt;/context-param&gt;
	
&lt;context-param&gt;
    &lt;param-name&gt;primefaces.CSP_POLICY&lt;/param-name&gt;
    &lt;param-value&gt;script-src &#39;self&#39; &#39;nonce-123&#39;&lt;/param-value&gt;
&lt;/context-param&gt;

However when i do this, then i check the header Content Security Policy and i am able to see two, the default policy and the policy that include three.js to whitelist. However, it is not really added to the with list and i get the same result that i get if i just have:

&lt;context-param&gt;&lt;!-- Enabling CSP --&gt;
    &lt;param-name&gt;primefaces.CSP&lt;/param-name&gt;
    &lt;param-value&gt;true&lt;/param-value&gt;
&lt;/context-param&gt;

However, if i just use the second statement, i means:

&lt;context-param&gt;
    &lt;param-name&gt;primefaces.CSP_POLICY&lt;/param-name&gt;
    &lt;param-value&gt;script-src &#39;self&#39; &#39;nonce-123&#39;&lt;/param-value&gt;
&lt;/context-param&gt;

i am not getting the header Content Security Policy.

I should be getting a header Content Security Policy and three.js should be added to the while list od CSP.

答案1

得分: 2

我只能通过添加'unsafe-eval'来解决这个问题,但是在我看来,这应该是最后的选择。

<!-- 开始代码片段: js 隐藏: false 控制台: true Babel: false -->

<!-- 语言: lang-html -->

<context-param>
    <param-name>primefaces.CSP</param-name>
    <param-value>true</param-value>
</context-param>

<context-param>
    <param-name>primefaces.CSP_POLICY</param-name>
    <param-value>script-src 'unsafe-eval' 'self' 'nonce-123'</param-value>
</context-param>

<!-- 结束代码片段 -->

如果有人知道更好的方法,那就太棒了。

英文:

I could solve the issue just adding 'unsafe-eval', however, in my opinion it should be the last option.

<!-- begin snippet: js hide: false console: true babel: false -->

<!-- language: lang-html -->

&lt;context-param&gt;
    &lt;param-name&gt;primefaces.CSP&lt;/param-name&gt;
    &lt;param-value&gt;true&lt;/param-value&gt;
&lt;/context-param&gt;
    
&lt;context-param&gt;
    &lt;param-name&gt;primefaces.CSP_POLICY&lt;/param-name&gt;
    &lt;param-value&gt;script-src &#39;unsafe-eval&#39; &#39;self&#39; &#39;nonce-123&#39;&lt;/param-value&gt;
&lt;/context-param&gt;

<!-- end snippet -->

It would be great if somebody know a better way.

huangapple
  • 本文由 发表于 2023年6月1日 02:25:29
  • 转载请务必保留本文链接:https://go.coder-hub.com/76376355.html
匿名

发表评论

匿名网友

:?: :razz: :sad: :evil: :!: :smile: :oops: :grin: :eek: :shock: :???: :cool: :lol: :mad: :twisted: :roll: :wink: :idea: :arrow: :neutral: :cry: :mrgreen:

确定