头盔内容安全策略全局路径不起作用
Helmet Content Security Policy Global Path not working
我正在使用 Helmet 在后端使用 Express 设置我的 Web 应用程序的内容安全策略。政策如下所示:
const express = require("express");
const app = express();
const helmet = require('helmet');
app.use(helmet());
app.use(
helmet.contentSecurityPolicy({
directives: {
defaultSrc: ["'self'"],
scriptSrc: ["'self'", "https://ajax.googleapis.com"],
imgSrc: ["https://firebasestorage.googleapis.com"],
objectSrc: ["'none'"],
styleSrc: ["'self'", "https://maxcdn.bootstrapcdn.com/bootstrap", "https://www.w3schools.com"],
upgradeInsecureRequests: [],
},
})
);
当我的应用程序尝试访问 link,例如 https://maxcdn.bootstrapcdn.com/bootstrap/3.4.0/css/bootstrap.min.css。它说它违反了 styleSrc 政策。但是我已经指定了允许 https://maxcdn.bootstrapcdn.com/bootstrap 的策略之一,我认为 https://maxcdn.bootstrapcdn.com/bootstrap/3.4.0/css/bootstrap.min.css 也会被接受,因为它是 child src。但显然它被阻止了。那么我该如何让 child src 通过呢?我已经试过了https://maxcdn.bootstrapcdn.com/bootstrap*但是无效。
这里是头盔的作者。
尝试添加尾部斜杠,如下所示:
https://maxcdn.bootstrapcdn.com/bootstrap/
这是因为 /bootstrap 不允许您做类似 /bootstrap/3.4.0/css/bootstrap.min.css 的事情,但是 /bootstrap/ 可以。这是内容安全策略的事情,而不是头盔的事情。
有关 nitty-gritty 的详细信息,请参阅 the "Matching Source Expressions" section in the CSP spec 的第 11 步:
If the source expression contains a non-empty path-part, and the URL is not the result of a redirect, then:
- Let exact-match be
true if the final character of path-part is not the U+002F SOLIDUS character (/), and false otherwise.
- Let source-expression-path-list be the result of splitting
path-part on the U+002F SOLIDUS character (/).
- If source-expression-path-list’s length is greater than url-path-list’s length, return does not match.
- For each entry in source-expression-path-list:
- Percent decode entry.
- Percent decode the first item in url-path-list.
- If entry is not an ASCII case-insensitive match for the first item in url-path-list, return does not match.
- Pop the first item in url-path-list off the list.
- If exact-match is
true, and url-path-list is not empty, return does not match.
顺便说一句,您可能希望将您的 Helmet 代码清理成这样:
app.use(helmet({
contentSecurityPolicy: {
directives: {
// ...
},
},
}));
您的代码使用 helmet(),其中包括一些默认的 CSP 中间件,然后用 helmet.contentSecurityPolicy() 覆盖它。没什么大不了的,但只使用一次更正确。
我正在使用 Helmet 在后端使用 Express 设置我的 Web 应用程序的内容安全策略。政策如下所示:
const express = require("express");
const app = express();
const helmet = require('helmet');
app.use(helmet());
app.use(
helmet.contentSecurityPolicy({
directives: {
defaultSrc: ["'self'"],
scriptSrc: ["'self'", "https://ajax.googleapis.com"],
imgSrc: ["https://firebasestorage.googleapis.com"],
objectSrc: ["'none'"],
styleSrc: ["'self'", "https://maxcdn.bootstrapcdn.com/bootstrap", "https://www.w3schools.com"],
upgradeInsecureRequests: [],
},
})
);
当我的应用程序尝试访问 link,例如 https://maxcdn.bootstrapcdn.com/bootstrap/3.4.0/css/bootstrap.min.css。它说它违反了 styleSrc 政策。但是我已经指定了允许 https://maxcdn.bootstrapcdn.com/bootstrap 的策略之一,我认为 https://maxcdn.bootstrapcdn.com/bootstrap/3.4.0/css/bootstrap.min.css 也会被接受,因为它是 child src。但显然它被阻止了。那么我该如何让 child src 通过呢?我已经试过了https://maxcdn.bootstrapcdn.com/bootstrap*但是无效。
这里是头盔的作者。
尝试添加尾部斜杠,如下所示:
https://maxcdn.bootstrapcdn.com/bootstrap/
这是因为 /bootstrap 不允许您做类似 /bootstrap/3.4.0/css/bootstrap.min.css 的事情,但是 /bootstrap/ 可以。这是内容安全策略的事情,而不是头盔的事情。
有关 nitty-gritty 的详细信息,请参阅 the "Matching Source Expressions" section in the CSP spec 的第 11 步:
If the source expression contains a non-empty
path-part, and the URL is not the result of a redirect, then:
- Let exact-match be
trueif the final character ofpath-partis not the U+002F SOLIDUS character (/), andfalseotherwise.- Let source-expression-path-list be the result of splitting
path-parton the U+002F SOLIDUS character (/).- If source-expression-path-list’s length is greater than url-path-list’s length, return does not match.
- For each entry in source-expression-path-list:
- Percent decode entry.
- Percent decode the first item in url-path-list.
- If entry is not an ASCII case-insensitive match for the first item in url-path-list, return does not match.
- Pop the first item in url-path-list off the list.
- If exact-match is
true, and url-path-list is not empty, return does not match.
顺便说一句,您可能希望将您的 Helmet 代码清理成这样:
app.use(helmet({
contentSecurityPolicy: {
directives: {
// ...
},
},
}));
您的代码使用 helmet(),其中包括一些默认的 CSP 中间件,然后用 helmet.contentSecurityPolicy() 覆盖它。没什么大不了的,但只使用一次更正确。