头盔和 contentSecurityPolicy 并使用随机数并添加它但仍然出现错误

问题描述 投票:0回答:1

我正在使用 Helmet.contentSecurityPolicy,这里是我的对象的要点:

我的脚本未加载...... 该内容尚未加载,但您可以看到我将其包含在我的信任项目中;

未加载:这些项目是通过 GOOGLETAGMANGER 加载的,但我对此有一个随机数? enter image description here

在其中一些脚本标记中,例如 googleTagmanager,我添加了随机数。现在,对于某些,我无法添加,但我将它们明确地放在配置中。

example of nonce in script tag:
<script nonce="2d4f393ea5bc957db4f385232a53fcc8" async src="https://www.googletagmanager.com/gtag/js?id=*******"></script>

那些本地主机 这些是由 webpack 创建的,但我的可接受项目中显然有“localhost”......所以我很困惑。有什么帮助吗?

The errors, are like the following: But I do HAVE the nonce tag (in some of them) AND you can see I include "unsafe-inline".

Refused to load the script '<URL>' because it violates the following Content Security Policy directive: "script-src 'unsafe-eval' 'unsafe-inline' nonce-a449a007188e909846c2e74148c3e1b0 <URL> *.kustomerapp.com/ <URL> *.segment.com/ <URL> *.cloudfront.net <URL> *.stripe.com <URL> *.split.io <URL> *.googletagmanager.com 'self' <URL> ws://localhost:*". Note that 'script-src-elem' was not explicitly set, so 'script-src' is used as a fallback.

我的头盔中间件要带入..

import helmet from 'helmet';

const trusted = [
  "'self'",
];

if (process.env.NODE_ENV !== 'production') {
  trusted.push('http://localhost:*', 'ws://localhost:*');
}

export default function contentSecurityPolicy(nonce) {
  return helmet.contentSecurityPolicy({
    directives: {
      defaultSrc: trusted,
      scriptSrc: [
        "'unsafe-eval'",
        "'unsafe-inline'",
        `nonce-${nonce}`,
        'https://www.googletagmanager.com',
        '*.googletagmanager.com',
      ].concat(trusted),
      styleSrc: [
        "'unsafe-inline'",
        '*.gstatic.com',
        '*.googleapis.com',
        'https://*.typography.com',
      ].concat(trusted),
      frameSrc: [
        '*.stripe.com',
      ].concat(trusted),
      fontSrc: [
        '*.cloudflare.com',
        'https://*.cloudflare.com',
        '*.bootstrapcdn.com',
        '*.googleapis.com',
        '*.gstatic.com',
        'data',
      ].concat(trusted),
      imgSrc: [
        'www.googletagmanager.com',
      ].concat(trusted),
    },
    // set to true if you only want to report errors
    reportOnly: false,
    // set to true if you want to set all headers
    setAllHeaders: false,
    // set to true if you want to force buggy CSP in Safari 5
    safari5: false
  });
};

我的一些服务器代码的上下文:

const nonce = crypto.randomBytes(16).toString('hex');
const app = new Express();
app.use(cookieParser());
app.use(helmet());
app.use(helmet.referrerPolicy({ policy: 'same-origin' }));
app.use(contentSecurityPolicy(nonce));
express content-security-policy helmet.js
1个回答
5
投票

我是这里的新手,但我注意到你的错误:

Refused to load the script '<URL>' because it violates the following Content Security Policy directive: "script-src 'unsafe-eval' 'unsafe-inline' nonce-a449a007188e909846c2e74148c3e1b0 

nonce-a449a007188e909846c2e74148c3e1b0
缺少 
'
,所以我会考虑将您的 
contentSecurityPolicy
函数修改为:

export default function contentSecurityPolicy(nonce) {
  return helmet.contentSecurityPolicy({
    directives: {
      defaultSrc: trusted,
      scriptSrc: [
        "'unsafe-eval'",
        "'unsafe-inline'",
        `'nonce-${nonce}'`,
        'https://www.googletagmanager.com',
        '*.googletagmanager.com',
      ].concat(trusted),
      ...
    }
   });
}

在写

'
部分时添加
nonce-${nonce}

参考:Reference中的Helmet JS > helmet.contentSecurityPolicy(options) > Examples > // 设置“Content-Security-Policy: default-src 'self';script-src 'self' 'nonce-e33ccde670f149c1789b1e1e113b0916'"部分

最新问题
© www.soinside.com 2019 - 2024. All rights reserved.