weixin_33743661 2017-09-21 18:57 采纳率: 0%
浏览 71

“不安全评估” MVC样板

I'm getting the error:

vendor.js:328 Uncaught EvalError: Refused to evaluate a string as JavaScript because 'unsafe-eval' is not an allowed source of the script in the following Content Security Policy directive: "script-src 'self' localhost:* ajax.googleapis.com ajax.aspnetcdn.com".

I know I can solve this error by setting UnsafeEval = true, but this is unsafe and open my site up to XSS vulnerabilities.

Therefore is there a way I can allow some scripts though, also forms when I use AJAX. maybe u guys can give me an example of how to use these methods I'm not quite sure how to do it.

new CspFormActionAttribute()
    // Allow forms to post back to example.com.
    // CustomSources = "*.example.com",
    // Allow forms to post back to the same domain.
    Self = true

new CspChildSrcAttribute()
    // Allow web workers or embed frames from example.com.
    // CustomSources = "*.example.com",
    // Allow web workers or embed frames from the same domain.
    Self = false

// connect-src - This directive restricts which URIs the protected resource can load using script interfaces
// (Ajax Calls and Web Sockets).
    new CspConnectSrcAttribute()

        // Allow Browser Link to work in debug mode only.
        CustomSources = string.Join(" ", "localhost:*", "ws://localhost:*"),

        // Allow AJAX and Web Sockets to example.com.
        // CustomSources = "*.example.com",

        // Allow all AJAX and Web Sockets calls from the same domain.
        Self = true
  • 写回答

0条回答 默认 最新



    • ¥15 运筹优化,gurobi,python
    • ¥20 画CAD几张图片内容如下1111111111111111111111111111111111111111111
    • ¥15 基于python的电影系统推荐
    • ¥20 springmvc重定向和返回json
    • ¥15 数学建模——参会安排怎么做
    • ¥15 电脑键盘实现触摸功能
    • ¥25 matlab无法将表达式转换为双数组怎么解决?
    • ¥15 单片机汇编语言相关程序
    • ¥20 家用射频美容仪技术规格
    • ¥15 大家帮我看看为什么错了