The problem
Content-Security-Policy should blacklist script and style parsing by default and allow it based on various instructions of which one is verified a hash of the expected output. The browser must fail to implement any Javascript or CSS which has not been given a matching hash in advance. Code with a matching hash should be executed as normal. Microsoft Edge is refusing all JS/CSS in-page blocks.
Instructions Visit the live demonstration link below in Microsoft Edge, and also in any other browser.
Live demonstration:
Demonstration original source code
<!doctype html>
<html>
<head>
<meta charset="utf-8" />
<meta http-equiv="Content-Security-Policy" content="default-src 'self'; style-src 'sha256-JtUhvM7uQO2KX5IEGWxN+rhEyzzsyFelfO2gXvYEuWA='; script-src 'sha256-iZzrsbzuGxfOaTdnB/E6RQBssyXQRp7W8YtZD2Wg/Rc=';" />
<meta http-equiv="X-Content-Security-Policy" content="default-src 'self'; style-src 'sha256-JtUhvM7uQO2KX5IEGWxN+rhEyzzsyFelfO2gXvYEuWA='; script-src 'sha256-iZzrsbzuGxfOaTdnB/E6RQBssyXQRp7W8YtZD2Wg/Rc=';" />
<style>#loading{color:transparent}#loading:after{color:green;content:"Style loaded."}</style>
</head>
<body>
<span id="loading">Hashes loading...</span>
<script src=".1.4/jquery.min.js"></script>
<script>alert("Script loaded.")</script>
- Expected behaviour: The body should change to "Style loaded.", an alert box should say "Script loaded.", external Javascript should not throw an error. Console shows no issues.
- Actual behaviour: Body stuck on "Hashes loading...". Hashes refused, external Javascript accepted. Console shows errors:
CSP14304: Unknown source ‘'sha256-JtUhvM7uQO2KX5IEGWxN+rhEyzzsyFelfO2gXvYEuWA='’ for directive ‘style-src’ in - source will be ignored.
CSP14306: No sources given for directive ‘style-src’ for - this is equivalent to using ‘none’ and will prevent the downloading of all resources of this type.
CSP14304: Unknown source ‘'sha256-iZzrsbzuGxfOaTdnB/E6RQBssyXQRp7W8YtZD2Wg/Rc='’ for directive ‘script-src’ in - source will be ignored.
CSP14312: Resource violated directive ‘style-src 'sha256-JtUhvM7uQO2KX5IEGWxN+rhEyzzsyFelfO2gXvYEuWA='’ in : inline style. Resource will be blocked.
CSP14312: Resource violated directive ‘script-src LINK-REMOVED-INSUFFICIENT-REPUTATION-ON-STACKOVERFLOW-SHOULD-BE-THE-GOOGLE-API-URL 'sha256-iZzrsbzuGxfOaTdnB/E6RQBssyXQRp7W8YtZD2Wg/Rc='’ in : inline script. Resource will be blocked.
Attempted fixes
- Verifying the hashes are correct: Double-checked calculation was binary, that's about it. Not much to do, other browsers are accepting them.
- Changed values of
default-srcandconnect-srctoselfrather thannone
I can't think of anything else to try.
Update 24 hours later: Added X-Content-Security-Policy for pleteness & JSBin URL updated, though it doesn't make a difference to this particular situation.
The problem
Content-Security-Policy should blacklist script and style parsing by default and allow it based on various instructions of which one is verified a hash of the expected output. The browser must fail to implement any Javascript or CSS which has not been given a matching hash in advance. Code with a matching hash should be executed as normal. Microsoft Edge is refusing all JS/CSS in-page blocks.
Instructions Visit the live demonstration link below in Microsoft Edge, and also in any other browser.
Live demonstration: http://output.jsbin./biqidoqebu
Demonstration original source code
<!doctype html>
<html>
<head>
<meta charset="utf-8" />
<meta http-equiv="Content-Security-Policy" content="default-src 'self'; style-src 'sha256-JtUhvM7uQO2KX5IEGWxN+rhEyzzsyFelfO2gXvYEuWA='; script-src https://ajax.googleapis. 'sha256-iZzrsbzuGxfOaTdnB/E6RQBssyXQRp7W8YtZD2Wg/Rc=';" />
<meta http-equiv="X-Content-Security-Policy" content="default-src 'self'; style-src 'sha256-JtUhvM7uQO2KX5IEGWxN+rhEyzzsyFelfO2gXvYEuWA='; script-src https://ajax.googleapis. 'sha256-iZzrsbzuGxfOaTdnB/E6RQBssyXQRp7W8YtZD2Wg/Rc=';" />
<style>#loading{color:transparent}#loading:after{color:green;content:"Style loaded."}</style>
</head>
<body>
<span id="loading">Hashes loading...</span>
<script src="https://ajax.googleapis./ajax/libs/jquery/2.1.4/jquery.min.js"></script>
<script>alert("Script loaded.")</script>
- Expected behaviour: The body should change to "Style loaded.", an alert box should say "Script loaded.", external Javascript should not throw an error. Console shows no issues.
- Actual behaviour: Body stuck on "Hashes loading...". Hashes refused, external Javascript accepted. Console shows errors:
CSP14304: Unknown source ‘'sha256-JtUhvM7uQO2KX5IEGWxN+rhEyzzsyFelfO2gXvYEuWA='’ for directive ‘style-src’ in - source will be ignored.
CSP14306: No sources given for directive ‘style-src’ for - this is equivalent to using ‘none’ and will prevent the downloading of all resources of this type.
CSP14304: Unknown source ‘'sha256-iZzrsbzuGxfOaTdnB/E6RQBssyXQRp7W8YtZD2Wg/Rc='’ for directive ‘script-src’ in - source will be ignored.
CSP14312: Resource violated directive ‘style-src 'sha256-JtUhvM7uQO2KX5IEGWxN+rhEyzzsyFelfO2gXvYEuWA='’ in : inline style. Resource will be blocked.
CSP14312: Resource violated directive ‘script-src LINK-REMOVED-INSUFFICIENT-REPUTATION-ON-STACKOVERFLOW-SHOULD-BE-THE-GOOGLE-API-URL 'sha256-iZzrsbzuGxfOaTdnB/E6RQBssyXQRp7W8YtZD2Wg/Rc='’ in : inline script. Resource will be blocked.
Attempted fixes
- Verifying the hashes are correct: Double-checked calculation was binary, that's about it. Not much to do, other browsers are accepting them.
- Changed values of
default-srcandconnect-srctoselfrather thannone
I can't think of anything else to try.
Update 24 hours later: Added X-Content-Security-Policy for pleteness & JSBin URL updated, though it doesn't make a difference to this particular situation.
Share Improve this question edited Jul 31, 2015 at 8:30 StackOverflowAcc asked Jul 30, 2015 at 9:30 StackOverflowAccStackOverflowAcc 1711 silver badge10 bronze badges 7- does internet explorer support this? – Daniel A. White Commented Jul 30, 2015 at 9:33
- you should use an actual http header. – Daniel A. White Commented Jul 30, 2015 at 9:34
-
have you tried
style-src self 'sha256-JtUhvM7uQO2KX5IEGWxN+rhEyzzsyFelfO2gXvYEuWA='orstyle-src URL_OF_YOUR_PAGE 'sha256-JtUhvM7uQO2KX5IEGWxN+rhEyzzsyFelfO2gXvYEuWA='? – ben Commented Jul 30, 2015 at 9:39 - @Daniel A. White - The issue does not occur in IE11.The page is dynamically created and then cached server-side, so http-headers aren't possible. Though, presumably, you'd want the headers in-page if they are ever loaded from client cache as well. It should make no difference, browsers clearly deal with it just fine. – StackOverflowAcc Commented Jul 30, 2015 at 9:49
- @ben Yes, domain instead of self doesn't help. I'm sure that should only be applied to separate requests anyway. – StackOverflowAcc Commented Jul 30, 2015 at 9:50
2 Answers
Reset to default 9EDIT: this may be incorrect. See ments above.
IE 11 does not support Content-Security-Policy (only X-Content-Security-Policy), this fails open.
IE 12 supports CSP, but does not grok nonces/hashes, it fails closed... unless you also supply 'unsafe-inline' in a Content-Security-Policy header.
CSP level 2 says "if a hash or nonce is supplied, ignore 'unsafe-inline'." this is for backwards patibility since older browsers will grok the 'unsafe-inline' but not the nonces/hashes. See http://www.w3/TR/CSP2/#directive-script-src
http://caniuse./#feat=contentsecuritypolicy
http://caniuse./#feat=contentsecuritypolicy2
IE Edge does not support Content Security Policy Level 2, and hash-source belongs to level 2.
发布者:admin,转转请注明出处:http://www.yc00.com/questions/1743638208a4482512.html
评论列表(0条)