内容安全策略粒度:'unsafe-eval' 是否全局应用于所有脚本?
Content Security Policy granularity: Does 'unsafe-eval' apply globally to all scripts?
这是一个CSP,问题涉及脚本源元素:
default-src 'none'; script-src 'self' 'unsafe-eval' https://maps.googleapis.com; style-src 'self' https://fonts.googleapis.com 'unsafe-inline';
所以这个 CSP 设置了不安全的 eval,这个设置是适用于所有脚本还是只适用于 Self 脚本,即不安全的 eval 应用的粒度级别是多少?
它适用于所有脚本。
原因是,'unsafe-eval' 和 'self' 只是 CSP 规范所称的 “源表达式” 的不同类型,而值script-src 等 CSP 指令被 CSP 规范称为 “源列表” — 单独的单个源表达式的列表。
并且 CSP 源列表中的源表达式彼此之间没有内部关联 — 相反,它们各自 全局 应用于它们关联的指令。
因此,如果您为 script-src 指令的值指定 'unsafe-eval',那么这始终具有全局允许 eval() 在任何 JavaScript 代码中的效果文件依赖。
来自 https://w3c.github.io/webappsec-csp/#framework-directive-source-list:
Many directives' values consist of source lists: sets of strings which identify content that can be fetched and potentially embedded or executed. Each string represents one of the following types of source expression:
Keywords such as 'none' and 'self' (which match nothing and the current URL’s origin, respectively)
Serialized URLs such as https://example.com/path/to/file.js (which matches a specific file) or https://example.com/ (which matches everything on that origin)
Schemes such as https: (which matches any resource having the specified scheme)
Hosts such as example.com (which matches any resource on the host, regardless of scheme) or *.example.com (which matches any resource on the host’s subdomains (and any of its subdomains' subdomains, and so on))
Nonces such as 'nonce-ch4hvvbHDpv7xCSvXCs3BrNggHdTzxUA' (which can match specific elements on a page)
Digests such as 'sha256-abcd...' (which can match specific elements on a page)
这是一个CSP,问题涉及脚本源元素:
default-src 'none'; script-src 'self' 'unsafe-eval' https://maps.googleapis.com; style-src 'self' https://fonts.googleapis.com 'unsafe-inline';
所以这个 CSP 设置了不安全的 eval,这个设置是适用于所有脚本还是只适用于 Self 脚本,即不安全的 eval 应用的粒度级别是多少?
它适用于所有脚本。
原因是,'unsafe-eval' 和 'self' 只是 CSP 规范所称的 “源表达式” 的不同类型,而值script-src 等 CSP 指令被 CSP 规范称为 “源列表” — 单独的单个源表达式的列表。
并且 CSP 源列表中的源表达式彼此之间没有内部关联 — 相反,它们各自 全局 应用于它们关联的指令。
因此,如果您为 script-src 指令的值指定 'unsafe-eval',那么这始终具有全局允许 eval() 在任何 JavaScript 代码中的效果文件依赖。
来自 https://w3c.github.io/webappsec-csp/#framework-directive-source-list:
Many directives' values consist of source lists: sets of strings which identify content that can be fetched and potentially embedded or executed. Each string represents one of the following types of source expression:
Keywords such as
'none'and'self' (which match nothing and the current URL’s origin, respectively)Serialized URLs such as
https://example.com/path/to/file.js(which matches a specific file) orhttps://example.com/(which matches everything on that origin)Schemes such as
https:(which matches any resource having the specified scheme)Hosts such as
example.com(which matches any resource on the host, regardless of scheme) or*.example.com(which matches any resource on the host’s subdomains (and any of its subdomains' subdomains, and so on))Nonces such as
'nonce-ch4hvvbHDpv7xCSvXCs3BrNggHdTzxUA'(which can match specific elements on a page)Digests such as
'sha256-abcd...'(which can match specific elements on a page)