ASP.NET WebForms 中的内容安全策略

Content-Security-Policy in ASP.NET WebForms(ASP.NET WebForms 中的内容安全策略)
本文介绍了ASP.NET WebForms 中的内容安全策略的处理方法,对大家解决问题具有一定的参考价值,需要的朋友们下面随着小编来一起学习吧!

问题描述

我正在寻找一种好方法来为我的 ASP.NET WebForms 应用程序实现相对强大的 Content-Security-Policy 标头.我将尽可能多的 JavaScript 存储在文件中而不是内联中,但默认情况下,WebForms 注入了大量内联脚本 — 用于诸如表单提交和基本 AJAX 调用之类的简单事情.

I'm looking for a good way to implement a relatively strong Content-Security-Policy header for my ASP.NET WebForms application. I'm storing as much JavaScript as possible in files instead of inline, but by default, WebForms injects a lot of inline scripts—for things as simple as form submission and basic AJAX calls.

MVC 有一些简单的方法来实现 nonce,尤其是在像 NWebsec 这样的第三方库的帮助下,但我似乎找不到任何用 WebForms 实现它们的方法.如果有一种方法可以预测和检索每个 .NET 注入的脚本标记的哈希值,我什至不会在使用哈希值时遇到问题.

MVC has some simple ways to implement nonces, especially with the help of third party libraries like NWebsec, but I can't seem to find any methods of implementing them with WebForms. I wouldn't even have a problem using hashes if there were a way to predict and retrieve the hash for each .NET injected script tag.

我讨厌允许 'unsafe-inline' 值.需要关闭如此强大的安全功能感觉是错误的.有没有合理的方法在 WebForms 中实现它?

I hate allowing the 'unsafe-inline' value. It feels wrong needing to turn off such a powerful security feature. Is there a reasonable way to implement it in WebForms?

推荐答案

我遇到了同样的问题.我很遗憾地说这是我们做过的最好的事情.我们基本上确定了我们使用和不使用的内容.我们甚至不得不在一些指令中加入 unsafe-eval,因为我们使用的第三方控件没有它就无法工作.至少我们避免调用外部网址.

I had the same problem. I'm sad to say this was the best we have done. We basically identified what we use and don't use. We even had to put unsafe-eval in some instructions because we were using third party controls that couldn't work without it. At least we avoid calls to external urls.

default-src 'self'; 
child-src 'self' 'unsafe-inline' 'unsafe-eval'; 
object-src 'none'; 
script-src 'self' 'unsafe-inline' 'unsafe-eval' https://www.google-analytics.com; 
img-src 'self' https://www.google-analytics.com; 
style-src 'self' 'unsafe-inline'

这篇关于ASP.NET WebForms 中的内容安全策略的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持编程学习网!

本站部分内容来源互联网,如果有图片或者内容侵犯您的权益请联系我们删除!

相关文档推荐

c# Generic Setlt;Tgt; implementation to access objects by type(按类型访问对象的C#泛型集实现)
InvalidOperationException When using Context Injection in ASP.Net Core(在ASP.NET核心中使用上下文注入时发生InvalidOperationException)
how do i pass parameters to aspnet reportviewer(如何将参数传递给aspnet report查看器)
Bind multiple parameters from route and body to a model in ASP.NET Core(在ASP.NET Core中将路由和主体中的多个参数绑定到一个模型)
Custom model binding in AspNet Core WebApi?(AspNet Core WebApi中的自定义模型绑定?)
How to minify in .net core mvc view?(如何在.Net核心MVC视图中缩小?)