近日接手了一个C#MVC5 , 使用的.net framework4.5.2框架的Web项目, 在AppScan扫描时发现Content-Security-Policy缺失, 通过上网查找, 将CSP策略配置为:
default-src 'self' ;style-src 'self' 'unsafe-hashes' 'sha256-xxx' ;script-src 'strict-dynamic' 'nonce-xxx'; object-src 'self';frame-ancestors 'self';"
将项目的内联样式都转换为外联css并引入, 原视图中的script也标记了nonce值, 引用外部js, 以下是某一个视图代码:
<script src="~/Scripts/jquery-3.7.0.js" nonce="@ViewBag.nonce"></script>
<script src="~/Scripts/jquery-ui-1.13.2.js" nonce="@ViewBag.nonce"></script>
<script src="~/Scripts/jquery.unobtrusive-ajax.js" nonce="@ViewBag.nonce"></script>
......
table>
<tr>
<th>XXX</th>
....
</tr>
@foreach (var item in Model)
{
<tr>
....
<td align="center">
<a data-ajax="true" data-ajax-success="showResultMsg(data)" href="@Url.Action("Delete", "XXXController", new { paramA = item.A})" data-ajax-confrim="是否確認要移除此賬號?">移除</a>
</td>
</tr>
}
}
在点击移除时, 报错如下:
点进去 , 构造函数时报错
因AppScan报告unsafe-inline 和 unsafe-eval不安全, 项目不改不行 , 但我刚刚接触C#开发,前端知识不了解,网上资料也没搜到合适, 还恳请各位友人帮忙解惑 , 感激不尽!
另, 在引入日期 WdatePicker.js时, 会报错, 但引入js时, 赋予了nonce值,这种错误是什么原因呢?
<input type="datetime" id="expiration_time" name="expiration_time" value="@Model.expiration_time.ToString("yyyy-MM-dd HH:mm:ss")" onfocus="javascript:WdatePicker({ readOnly: true, dateFmt: 'yyyy-MM-dd HH:mm' });" />
Refused to execute inline event handler because it violates the following Content Security Policy directive: "script-src 'strict-dynamic' 'nonce-XXX'". Either the 'unsafe-inline' keyword, a hash ('sha256-...'), or a nonce ('nonce-...') is required to enable inline execution. Note that hashes do not apply to event handlers, style attributes and javascript: navigations unless the 'unsafe-hashes' keyword is present.