ASP.NET MVC HTML5 Boilerplate - 内容安全策略正在查杀所有外部脚本,甚至是“白名单”脚本

时间:2016-09-16 23:44:16

标签: asp.net asp.net-mvc html5 asp.net-mvc-5 html5boilerplate

当前项目:

  • ASP.NET 4.5.2
  • MVC 5
  • HTML5 Boilerplate
  • 谷歌ReCaptcha(任何NuGet套餐,请你选择,我已经通过其中三个进行了搅拌)

所以内容安全策略似乎从site I am developing之外的任何内容停止,。是的,该表格的底部应该有一个Google ReCaptcha。看不到了吗?是的......这是,尽管ajax.googleapis.com通过FilterConfig.cs被认为是“白名单”。

当我访问我的网站并尝试加载它时,我收到控制台错误:

Content Security Policy: The page's settings blocked the loading of a resource at https://www.google.com/recaptcha/api.js ("script-src http://http://www.taskgenerator.ca http://localhost:* http://ajax.googleapis.com http://ajax.aspnetcdn.com").

当我将www.google.com添加到CspScriptSrcAttribute()内的FilterConfig.cs时,我收到以下错误:

Content Security Policy: The page's settings blocked the loading of a resource at https://www.gstatic.com/recaptcha/api2/r20160913151359/recaptcha__en.js ("script-src http://http://www.taskgenerator.ca http://localhost:* http://www.google.com http://ajax.googleapis.com http://ajax.aspnetcdn.com").

当我添加www.gstatic.com时,我收到以下错误:

Content Security Policy: The page's settings blocked the loading of a resource at https://www.google.com/recaptcha/api2/anchor?k=6LdHZB4TAAAAAMj_6F7h1ahYTNAjtHqRvWLj_FBx&co=aHR0cDovL3Rhc2tnZW5lcmF0b3IubG9jYWxob3N0Ojgw&hl=en&v=r20160913151359&size=normal&cb=lvhf93b5gk4z ("default-src 'none'").

尽管已按上述方式将www.google.com列入白名单。

这种情况一直发生在&#$!%(@ rabbit hole。似乎没有结束。我只想在网站上添加一个愚蠢的ReCaptcha - 有多难应该是吗??

我非常确信无条件地从项目中删除了HTML5样板,并将其作为原始/自定义/默认,以避免这些难以处理的显示停止的关键错误。

请告诉我:

  1. 如何从HTML5 Boilerplate中转 OFF CSP,或
  2. 如何针对 已列入白名单的功能(Google API)更正此问题。

    3. HTML5 MVC Boilerplate page provides ZERO advice就此而言。

    编辑:

    FilterConfig.cs中的代码最初是这样的:

    filters.Add(
  new CspScriptSrcAttribute() {
    CustomSources = string.Join(
      " ",
#if DEBUG
      "localhost:*",
#endif
      ContentDeliveryNetwork.Google.Domain,
      ContentDeliveryNetwork.Microsoft.Domain
    ),
    Self = true,
  });

    使用常量(contentdeliverynetwork.cs):

    public static class ContentDeliveryNetwork {
  public static class Google {
    public const string Domain = "ajax.googleapis.com";
    public const string JQueryUrl = "//ajax.googleapis.com/ajax/libs/jquery/2.2.3/jquery.min.js";
  }
  public static class MaxCdn {
    public const string Domain = "maxcdn.bootstrapcdn.com";
    public const string FontAwesomeUrl = "//maxcdn.bootstrapcdn.com/font-awesome/4.5.0/css/font-awesome.min.css";
  }
  public static class Microsoft {
    public const string Domain = "ajax.aspnetcdn.com";
    public const string JQueryValidateUrl = "//ajax.aspnetcdn.com/ajax/jquery.validate/1.15.0/jquery.validate.min.js";
    public const string JQueryValidateUnobtrusiveUrl = "//ajax.aspnetcdn.com/ajax/mvc/5.2.3/jquery.validate.unobtrusive.min.js";
    public const string ModernizrUrl = "//ajax.aspnetcdn.com/ajax/modernizr/modernizr-2.8.3.js";
    public const string BootstrapUrl = "//ajax.aspnetcdn.com/ajax/bootstrap/3.3.6/bootstrap.min.js";
  }
}

    甚至修改以下内容:

    filters.Add(
  new CspScriptSrcAttribute() {
    CustomSources = string.Format("google.com www.gstatic.com www.google.com localhost:* ajax.googleapis.com ajax.aspnetcdn.com"),
    Self = true,
  });

    无济于事。

1 个答案:

答案 0 :(得分:0)

Chrome通常会告诉您已找到的阻止内容。您只需要添加它告诉您的所有异常。也就是说,如果您想关闭CSP,请注释掉以下行:

public static class FilterConfig
{
    public static void RegisterGlobalFilters(GlobalFilterCollection filters)
    {
        AddSearchEngineOptimizationFilters(filters);
        AddSecurityFilters(filters);
        AddContentSecurityPolicyFilters(filters); // Comment this out
    }

    // ...Omitted
}
相关问题
最新问题