net 空 webform 项目并添加 1 个按钮、1 个内联脚本(按钮中使用的 1 个函数)并为 Content-Security-Policy 设置声明 1 个元标记。
我的意图是想在我的aspx文件中使用nonce逻辑,内联脚本必须包含~
<%@ Page Language="C#" AutoEventWireup="true" CodeBehind="WebForm1.aspx.cs" Inherits="WebApplication4.WebForm1" %>
<!DOCTYPE html>
<html xmlns="http://www.w3.org/1999/xhtml">
<head runat="server">
<title></title>
<meta http-equiv="Content-Security-Policy" content="default-src 'self' ; script-src 'self' 'nonce-random' 'unsafe-eval'; "/>
<script type="text/javascript" nonce="random">
function Test() {
alert("testing");
}
</script>
</head>
<body>
<form id="form1" runat="server">
<div>
<button type="button" onclick="Test()">Test</button>
</div>
</form>
</body>
</html>```
My expected result:
Launced website, click button and return me the alart message.
Acutal result:
Nothing happend.
Here is log mesage from console of developer tool of browser:
Refused to execute inline event handler because it violates the following Content Security Policy directive: "script-src 'self' 'nonce-random' 'unsafe-eval'". Either the 'unsafe-inline' keyword, a hash ('sha256-...'), or a nonce ('nonce-...') is required to enable inline execution. Note that hashes do not apply to event handlers, style attributes and javascript: navigations unless the 'unsafe-hashes' keyword is present.
**
Please help, any solution to this issue?
My intention is want to use nonce logic in my aspx file, inline script must include~
Click button can see the alert message**
您已将随机数添加到内联脚本中,但很可能是内联事件处理程序 (onclick="Test()") 导致了错误。尝试用事件监听器替换它,因为内联事件处理程序不是 nonceable 元素。