content-security-policy

问题 I've a node.js application with a home page in angularjs. This page contains a 'search' box and has corresponding search.js script which runs and makes a server side query call. For security I added 'csp' in my node.js application with following csp configuration. const csp = require('helmet-csp'); app.use(helmet()); app.use(csp({ directives: { defaultSrc: ["'self'", 'https://my.domain.com'], scriptSrc: ["'self'", "'unsafe-inline'"], styleSrc: ["'self'"], imgSrc: ["'self'"], connectSrc: ["

问题 I've a node.js application with a home page in angularjs. This page contains a 'search' box and has corresponding search.js script which runs and makes a server side query call. For security I added 'csp' in my node.js application with following csp configuration. const csp = require('helmet-csp'); app.use(helmet()); app.use(csp({ directives: { defaultSrc: ["'self'", 'https://my.domain.com'], scriptSrc: ["'self'", "'unsafe-inline'"], styleSrc: ["'self'"], imgSrc: ["'self'"], connectSrc: ["

问题 I have implemented code to manage the Content Security Policy layer in my application. My implementation is based on an ActionFilterAttribute which was inspired from the code available here (I am including in the question for the sake of simplicity). public override void OnResultExecuting( ResultExecutingContext context ) { var result = context.Result; if ( result is ViewResult ) { if ( !context.HttpContext.Response.Headers.ContainsKey( "X-Content-Type-Options" ) ) { context.HttpContext

问题 I'm trying to mitigate XSS attacks by setting the Content-Security-Policy header but Chrome keeps throwing an error: Refused to execute inline event handler because it violates the following Content Security Policy directive: "script-src 'self' 'nonce-Njg3MGUxNzkyMjViNDZkN2I3YTM3MDAzY2M0MjUxZGEzZmFhNDU0OGZjNDExMWU5OTVmMmMwMTg4NTA3ZmY4OQ=='". Either the 'unsafe-inline' keyword, a hash ('sha256-...'), or a nonce ('nonce-...') is required to enable inline execution. I tried setting the nonce in

问题 I'm trying to mitigate XSS attacks by setting the Content-Security-Policy header but Chrome keeps throwing an error: Refused to execute inline event handler because it violates the following Content Security Policy directive: "script-src 'self' 'nonce-Njg3MGUxNzkyMjViNDZkN2I3YTM3MDAzY2M0MjUxZGEzZmFhNDU0OGZjNDExMWU5OTVmMmMwMTg4NTA3ZmY4OQ=='". Either the 'unsafe-inline' keyword, a hash ('sha256-...'), or a nonce ('nonce-...') is required to enable inline execution. I tried setting the nonce in

问题 I'm trying to mitigate XSS attacks by setting the Content-Security-Policy header but Chrome keeps throwing an error: Refused to execute inline event handler because it violates the following Content Security Policy directive: "script-src 'self' 'nonce-Njg3MGUxNzkyMjViNDZkN2I3YTM3MDAzY2M0MjUxZGEzZmFhNDU0OGZjNDExMWU5OTVmMmMwMTg4NTA3ZmY4OQ=='". Either the 'unsafe-inline' keyword, a hash ('sha256-...'), or a nonce ('nonce-...') is required to enable inline execution. I tried setting the nonce in

问题 I'm trying to mitigate XSS attacks by setting the Content-Security-Policy header but Chrome keeps throwing an error: Refused to execute inline event handler because it violates the following Content Security Policy directive: "script-src 'self' 'nonce-Njg3MGUxNzkyMjViNDZkN2I3YTM3MDAzY2M0MjUxZGEzZmFhNDU0OGZjNDExMWU5OTVmMmMwMTg4NTA3ZmY4OQ=='". Either the 'unsafe-inline' keyword, a hash ('sha256-...'), or a nonce ('nonce-...') is required to enable inline execution. I tried setting the nonce in

问题 My site is loading a third party library that loads all kinds of scripts to scrape the data from my site and send it to its own servers via XHR for analysis. I want to make a restriction such that my page can only talk to my servers and the one third party server, and no other connections would be made. Im wondering if CSP connect-src would do that? For example lets say my site is x.com and the third party is y.com If y.com loads a script that sends data to y.com it is okay but not if it

问题 Say I have this header set on mywebsite.com : Content-Security-Policy: script-src self https://*.example.com I know it will allow https://foo.example.com and https://bar.example.com , but will it allow https://example.com alone? Looking at the spec.... Hosts such as example.com (which matches any resource on the host, regardless of scheme) or *.example.com ( which matches any resource on the host or any of its subdomains (and any of its subdomains' subdomains, and so on)) ...it seems as it

问题 Say I have this header set on mywebsite.com : Content-Security-Policy: script-src self https://*.example.com I know it will allow https://foo.example.com and https://bar.example.com , but will it allow https://example.com alone? Looking at the spec.... Hosts such as example.com (which matches any resource on the host, regardless of scheme) or *.example.com ( which matches any resource on the host or any of its subdomains (and any of its subdomains' subdomains, and so on)) ...it seems as it