Symfony 3 - 内容安全策略
Symfony 3 - Content Security Policy
我对内容安全策略有疑问。每当我尝试将 JavaScript 包含到我的项目中时,我都会收到内容安全策略错误。
<!DOCTYPE html>
<html>
<head>
<title>Symfony</title>
<script src="{{ asset('myscript.js') }}"></script>
</head>
<body>
// ...
</body>
</html>
我做错了什么?
我已经尝试过:
- .htaccess:
Header set Content-Security-Policy "script-src 'self';"
- html:
<meta http-equiv="Content-Security-Policy" content="script-src 'self'">
- https://ikvasnica.com/blog/how-to-protect-php-application-from-xss-attacks-csp-3-nonce/
好的,我找到了解决办法。我在我的代码中添加了一个事件订阅者,它设置了 "Content-Security-Policy" header.
<?php
namespace AppBundle\Subscriber;
use Symfony\Component\EventDispatcher\EventSubscriberInterface;
use Symfony\Component\HttpKernel\Event\FilterResponseEvent;
use Symfony\Component\HttpKernel\KernelEvents;
/**
* Class ResponseSubscriber
* @package AppBundle\Subscriber
*/
class ResponseSubscriber implements EventSubscriberInterface
{
/** @inheritdoc */
public static function getSubscribedEvents()
{
return [
KernelEvents::RESPONSE => 'onResponse'
];
}
/**
* Callback function for event subscriber
* @param FilterResponseEvent $event
*/
public function onResponse(FilterResponseEvent $event)
{
$response = $event->getResponse();
$policy = "default-src 'self' 'unsafe-inline';"
. "script-src 'self' 'unsafe-inline'";
$response->headers->set("Content-Security-Policy", $policy);
$response->headers->set("X-Content-Security-Policy", $policy);
$response->headers->set("X-WebKit-CSP", $policy);
}
}
和
# app/config/services.yml
services:
# ...
app.responseSubscriber:
class: AppBundle\Subscriber\ResponseSubscriber
autowire: true
我对内容安全策略有疑问。每当我尝试将 JavaScript 包含到我的项目中时,我都会收到内容安全策略错误。
<!DOCTYPE html>
<html>
<head>
<title>Symfony</title>
<script src="{{ asset('myscript.js') }}"></script>
</head>
<body>
// ...
</body>
</html>
我做错了什么?
我已经尝试过:
- .htaccess:
Header set Content-Security-Policy "script-src 'self';" - html:
<meta http-equiv="Content-Security-Policy" content="script-src 'self'"> - https://ikvasnica.com/blog/how-to-protect-php-application-from-xss-attacks-csp-3-nonce/
好的,我找到了解决办法。我在我的代码中添加了一个事件订阅者,它设置了 "Content-Security-Policy" header.
<?php
namespace AppBundle\Subscriber;
use Symfony\Component\EventDispatcher\EventSubscriberInterface;
use Symfony\Component\HttpKernel\Event\FilterResponseEvent;
use Symfony\Component\HttpKernel\KernelEvents;
/**
* Class ResponseSubscriber
* @package AppBundle\Subscriber
*/
class ResponseSubscriber implements EventSubscriberInterface
{
/** @inheritdoc */
public static function getSubscribedEvents()
{
return [
KernelEvents::RESPONSE => 'onResponse'
];
}
/**
* Callback function for event subscriber
* @param FilterResponseEvent $event
*/
public function onResponse(FilterResponseEvent $event)
{
$response = $event->getResponse();
$policy = "default-src 'self' 'unsafe-inline';"
. "script-src 'self' 'unsafe-inline'";
$response->headers->set("Content-Security-Policy", $policy);
$response->headers->set("X-Content-Security-Policy", $policy);
$response->headers->set("X-WebKit-CSP", $policy);
}
}
和
# app/config/services.yml
services:
# ...
app.responseSubscriber:
class: AppBundle\Subscriber\ResponseSubscriber
autowire: true