您如何为特定内容安全策略指令将特定域列入白名单,同时为其他域设置不太具体的指令?
How do you whitelist a specific domain for a specific content security policy directive, while having a less specific directive for other domains?
我想允许 unsafe-eval 用于 script-src 政策,但仅限于特定域。
例如,我只希望来自 *.example.net 的脚本能够使用 eval()。
script-src 'unsafe-inline' *;script-src 'unsafe-eval' 'unsafe-inline' *.example.net blob:;
以上方法无效。我怎样才能实现这种行为?
I want to allow 'unsafe-eval' for a 'script-src' policy, but only for a specific domain.
How can I achieve this behavior?
你不能。内容安全政策没有提供这样做的方法。
'unsafe-eval' 和 *.example.net 只是 CSP 规范所称的 “源表达式” 的不同类型,CSP 指令的值如因为 script-src 是 CSP 规范所称的 “源列表” — 单独的单个源表达式的列表。
并且 CSP 源列表中的源表达式彼此之间没有内部关联 — 相反,它们各自 全局 应用于它们关联的指令。
因此,如果您为 script-src 指令的值指定 'unsafe-eval',那么这始终具有全局允许 eval() 在任何 JavaScript 代码中的效果文件依赖。
CSP中没有其他语法来表达“only allow 'unsafe-eval' for *.example.net”。在 CSP 中无法表达这一点。
来自 https://w3c.github.io/webappsec-csp/#framework-directive-source-list:
Many directives' values consist of source lists: sets of strings which identify content that can be fetched and potentially embedded or executed. Each string represents one of the following types of source expression:
Keywords such as 'none' and 'self' (which match nothing and the current URL’s origin, respectively)
Serialized URLs such as https://example.com/path/to/file.js (which matches a specific file) or https://example.com/ (which matches everything on that origin)
Schemes such as https: (which matches any resource having the specified scheme)
Hosts such as example.com (which matches any resource on the host, regardless of scheme) or *.example.com (which matches any resource on the host’s subdomains (and any of its subdomains' subdomains, and so on))
Nonces such as 'nonce-ch4hvvbHDpv7xCSvXCs3BrNggHdTzxUA' (which can match specific elements on a page)
Digests such as 'sha256-abcd...' (which can match specific elements on a page)
我想允许 unsafe-eval 用于 script-src 政策,但仅限于特定域。
例如,我只希望来自 *.example.net 的脚本能够使用 eval()。
script-src 'unsafe-inline' *;script-src 'unsafe-eval' 'unsafe-inline' *.example.net blob:;
以上方法无效。我怎样才能实现这种行为?
I want to allow 'unsafe-eval' for a 'script-src' policy, but only for a specific domain.
How can I achieve this behavior?
你不能。内容安全政策没有提供这样做的方法。
'unsafe-eval' 和 *.example.net 只是 CSP 规范所称的 “源表达式” 的不同类型,CSP 指令的值如因为 script-src 是 CSP 规范所称的 “源列表” — 单独的单个源表达式的列表。
并且 CSP 源列表中的源表达式彼此之间没有内部关联 — 相反,它们各自 全局 应用于它们关联的指令。
因此,如果您为 script-src 指令的值指定 'unsafe-eval',那么这始终具有全局允许 eval() 在任何 JavaScript 代码中的效果文件依赖。
CSP中没有其他语法来表达“only allow 'unsafe-eval' for *.example.net”。在 CSP 中无法表达这一点。
来自 https://w3c.github.io/webappsec-csp/#framework-directive-source-list:
Many directives' values consist of source lists: sets of strings which identify content that can be fetched and potentially embedded or executed. Each string represents one of the following types of source expression:
Keywords such as
'none'and'self' (which match nothing and the current URL’s origin, respectively)Serialized URLs such as
https://example.com/path/to/file.js(which matches a specific file) orhttps://example.com/(which matches everything on that origin)Schemes such as
https:(which matches any resource having the specified scheme)Hosts such as
example.com(which matches any resource on the host, regardless of scheme) or*.example.com(which matches any resource on the host’s subdomains (and any of its subdomains' subdomains, and so on))Nonces such as
'nonce-ch4hvvbHDpv7xCSvXCs3BrNggHdTzxUA'(which can match specific elements on a page)Digests such as
'sha256-abcd...'(which can match specific elements on a page)