头盔内容安全策略全局路径不起作用

Helmet Content Security Policy Global Path not working

我正在使用 Helmet 在后端使用 Express 设置我的 Web 应用程序的内容安全策略。政策如下所示:

const express = require("express");
const app = express();
const helmet = require('helmet');

app.use(helmet());
app.use(
  helmet.contentSecurityPolicy({
    directives: {
      defaultSrc: ["'self'"],
      scriptSrc: ["'self'", "https://ajax.googleapis.com"],
      imgSrc: ["https://firebasestorage.googleapis.com"],
      objectSrc: ["'none'"],
      styleSrc: ["'self'", "https://maxcdn.bootstrapcdn.com/bootstrap", "https://www.w3schools.com"],
      upgradeInsecureRequests: [],
    },
  })
);

当我的应用程序尝试访问 link,例如 https://maxcdn.bootstrapcdn.com/bootstrap/3.4.0/css/bootstrap.min.css。它说它违反了 styleSrc 政策。但是我已经指定了允许 https://maxcdn.bootstrapcdn.com/bootstrap 的策略之一,我认为 https://maxcdn.bootstrapcdn.com/bootstrap/3.4.0/css/bootstrap.min.css 也会被接受,因为它是 child src。但显然它被阻止了。那么我该如何让 child src 通过呢?我已经试过了https://maxcdn.bootstrapcdn.com/bootstrap*但是无效。

这里是头盔的作者。

尝试添加尾部斜杠,如下所示:

https://maxcdn.bootstrapcdn.com/bootstrap/

这是因为 /bootstrap 不允许您做类似 /bootstrap/3.4.0/css/bootstrap.min.css 的事情,但是 /bootstrap/ 可以。这是内容安全策略的事情,而不是头盔的事情。

有关 nitty-gritty 的详细信息,请参阅 the "Matching Source Expressions" section in the CSP spec 的第 11 步:

If the source expression contains a non-empty path-part, and the URL is not the result of a redirect, then:

  1. Let exact-match be true if the final character of path-part is not the U+002F SOLIDUS character (/), and false otherwise.
  2. Let source-expression-path-list be the result of splitting path-part on the U+002F SOLIDUS character (/).
  3. If source-expression-path-list’s length is greater than url-path-list’s length, return does not match.
  4. For each entry in source-expression-path-list:
    1. Percent decode entry.
    2. Percent decode the first item in url-path-list.
    3. If entry is not an ASCII case-insensitive match for the first item in url-path-list, return does not match.
    4. Pop the first item in url-path-list off the list.
  5. If exact-match is true, and url-path-list is not empty, return does not match.

顺便说一句,您可能希望将您的 Helmet 代码清理成这样:

app.use(helmet({
  contentSecurityPolicy: {
    directives: {
      // ...
    },
  },
}));

您的代码使用 helmet(),其中包括一些默认的 CSP 中间件,然后用 helmet.contentSecurityPolicy() 覆盖它。没什么大不了的,但只使用一次更正确。