使用Paypal按钮的内容安全策略

时间:2016-07-11 05:39:54

标签: security paypal content-security-policy

我想将内容安全策略(CSP)设置为my with page,其中包含paypal按钮,其中包含来自https://www.paypalobjects.com的gif图像,我将其包含在我的img-src白名单中。

     <input type="image" src="https://www.paypalobjects.com/en_GB/SG/i/btn/btn_buynowCC_LG.gif" border="0" name="submit" alt="PayPal – The safer, easier way to pay online.">

但该图片会暂时重定向到https://akamai.mathtag.comhttps://ak1s.abmr.net

等随机域

我应该如何设置CSP,以便img-src也包含重定向域。我不知道所有重定向域名。

2 个答案:

答案 0 :(得分:1)

请注意,Paypal声明您应该仅将结账按钮热链接,而不是将其保存在其他地方:

  

PayPal要求您使用PayPal Check out按钮和托管在安全PayPal服务器上的PayPal标记图像。

Obtaining an Express Checkout Button and PayPal Mark

目前尚不清楚这是如何强制执行的。

答案 1 :(得分:0)

CSP requires that you know the domains you are referencing content from, which is one of its weaknesses.

In order to get around that, there's a few things you could do:

  1. Remove the img-src whitelist from CSP altogether. This sounds sub-optimal, but unless someone is able to directly compromise your server ( in which case they could modify the CSP header anyways ), or they are able to exploit a Cross-Site Scripting attack on your site, the img-src is not a huge concern. I would worry more about the script-src section, which, if implemented properly, would likely prevent unauthorized images from being loaded anyways.
  2. Create a whitelist based proxy for CSP purposes. Basically, the browser requests the image from your server, and your server then retrieves the images on the backend, following through the redirects, caches the image, and returns it to the user.
  3. As SilverlightFox said, you could also store the image directly on your servers. This could be problematic if you ever need to access other images that don't comply with such a strict CSP. Also, if the buy button image changes and you are unaware of it/haven't updated it, that could create suspicion amongst potential customers who had seen the new buy button elsewhere.

Hope that helps!