MVC Ajax.BeginForm和内容安全策略

时间:2014-11-05 09:21:17

标签: c# jquery ajax asp.net-mvc content-security-policy

为防止跨侧脚本,我将CSP应用于我的某个应用程序。目前我正在重新配置所有的html类,因此javascript总是来自我的服务器。

现在我找到了一个包含Ajax.BeginForm的网页,如果我想提交表单并更新视图,则始终会收到错误“Refused to evaluate a string as JavaScript because 'unsafe-eval' is not an allowed source of script in the following Content Security Policy directive: "script-src 'self'".”。

任何人都可以帮助我,问题出在哪里?

这是我的html类(简称):

UserInformation.cshtml:

<div id="OpenAccountInformation">@Html.Action("OpenAccountInformation")</div>
</div>

AccountInformation.cshtml:

@Scripts.Render("~/Scripts/bundles/ManageUsers/AccountInformation")
@model Tumormodelle.Models.ViewModels.AzaraUserModel

<input type="hidden" value="@ViewBag.Editable" id="EditableUserInformation">
<div id="Editable">
    @using (Ajax.BeginForm("EditUser", "ManageUsers", new AjaxOptions { InsertionMode = InsertionMode.Replace, UpdateTargetId = "OpenAccountInformation", HttpMethod = "post", }))
    {
        @Html.AntiForgeryToken()
        @Html.HiddenFor(m => m.UserID)
        <div>
            <div>
                @Html.LabelFor(m => m.Username, new { @class = "entryFieldLabel" })
            </div>
       </div>
          <div>
            <div>
                <button name="button" value="save" class="formbutton" id="saveButton">save</button>
                <button name="button" value="cancel" class="formbutton" id="cancelButton">cancel</button>
            </div>
                   }
</div>

<div id="NonEditable">

    <div>
        <div>
            @Html.LabelFor(m => m.Username, new { @class = "entryFieldLabel" })
        </div>
               </div>
           <div>
        <div>
            <button name="button" value="edit" class="formbutton" id="editButton" type="button">edit</button>
        </div>
                </div>
</div>

和c#方法:

public ActionResult EditUser(AzaraUserModel AzaraUserModel, string button)
{
    if (button == Tumormodelle.Properties.Resources.Save)
    {
        if (ModelState.IsValid)
        {
            azaraUserManagement.Update(AzaraUserModel.Username, AzaraUserModel.Title, AzaraUserModel.FirstName, AzaraUserModel.LastName, AzaraUserModel.EMailAddress, null, AzaraUserModel.Phone, AzaraUserModel.UserID, (byte)AzaraUserModel.ShowMail.ID);
            ViewBag.Message = Tumormodelle.Properties.Resources.Personal_Data_Changed;
            ViewBag.Editable = true;
        }
        else ViewBag.Editable = false;
        BindShowMailList();
        return PartialView("AccountInformation", AzaraUserModel);
    }
    else
    {
        return RedirectToAction("OpenAccountInformation", "ManageUsers");
    }
}

public ActionResult UserInformation()
{
    return View("UserInformation");
}

public PartialViewResult OpenAccountInformation()
{
    AzaraUserModel AzaraUserModel = new AzaraUserModel(azaraUserManagement.GetSingle(AzaraSession.Current.UserComparison.GetUser().Id));
    BindShowMailList();
    ViewBag.Editable = true;
    return PartialView("AccountInformation", AzaraUserModel);
}

编辑:在Chrome调试器的帮助下,我发现错误是在片刻形式被提交时抛出的。

2 个答案:

答案 0 :(得分:1)

Ajax.BeginForm将在您生成的页面HTML中生成内联脚本,您在内容安全策略中使用script-src 'self'禁止使用该脚本。

如果要使用CSP来阻止任何内联注入脚本,则必须使用Html.BeginForm并添加JavaScript以通过外部.js文件中的Ajax提交。

答案 1 :(得分:0)

尝试将此属性添加到控制器帖子操作

[ValidateInput(false)]
相关问题
最新问题