CSP“自我”在各种指令中均失败

时间:2019-04-09 08:16:38

标签: content-security-policy

我最近已将CSP添加到我的网站并开始对其进行测试(仅报告):除某些我无法理解的报告外,它看起来还不错。
具体来说,我发现违反了“自我”指令应允许的资源。

服务器正在运行Express,并且通过helmet-csp提供CSP。我已经使用多种服务(例如https://csp-evaluator.withgoogle.com/)验证了CSP策略标头,并且结果正确无误。 我正在使用report-uri.com来收集和分析CSP报告。

这是头盔csp设置:

app.use(csp({
  directives: {
    'default-src': ["'none'"],
    'object-src': ["'none'"],
    'script-src': ["'self'", (req, res) => `'nonce-${res.locals.nonce}'`],
    'connect-src': ["'self'", (req, _res) => (req.protocol === 'http' ? 'ws://' : 'wss://') + req.get('host')],
    'manifest-src': ["'self'"],
    'worker-src': ["'self'"],
    'style-src': ["'self'"],
    'font-src': ["'self'"],
    'img-src': ["'self'", 'data:'],
    'base-uri': ["'self'"],
    'form-action': ["'self'"],
    'report-uri': '[REMOVED]'
  },
  reportOnly: true
}));

这是生成的CSP标头:

Content-Security-Policy-Report-Only: default-src 'none'; object-src 'none'; script-src 'self' 'nonce-[REMOVED]'; connect-src 'self' wss://MYSUBDOMAIN.MYDOMAIN.it; manifest-src 'self'; worker-src 'self'; style-src 'self'; font-src 'self'; img-src 'self' data:; base-uri 'self'; form-action 'self'; report-uri [REMOVED]

这些是报告的一些示例:

{
    "csp-report": {
        "document-uri": "https://MYSUBDOMAIN.MYDOMAIN.it/",
        "effective-directive": "worker-src",
        "original-policy": "default-src 'none'; object-src 'none'; script-src 'self' 'nonce-[removed]'; connect-src 'self' wss://MYSUBDOMAIN.MYDOMAIN.it; manifest-src 'self'; worker-src 'self'; style-src 'self'; font-src 'self'; img-src 'self' data:; base-uri 'self'; form-action 'self'; report-uri [REMOVED]",
        "blocked-uri": "https://MYSUBDOMAIN.MYDOMAIN.it/notification-worker.js",
        "line-number": 1,
        "column-number": 1966,
        "source-file": "https://MYSUBDOMAIN.MYDOMAIN.it/js/index.min.js"
    }
}

{
    "csp-report": {
        "document-uri": "https://MYSUBDOMAIN.MYDOMAIN.it/results",
        "effective-directive": "img-src",
        "original-policy": "default-src 'none'; object-src 'none'; script-src 'self' 'nonce-[removed]'; connect-src 'self' wss://MYSUBDOMAIN.MYDOMAIN.it; manifest-src 'self'; worker-src 'self'; style-src 'self'; font-src 'self'; img-src 'self' data:; base-uri 'self'; form-action 'self'; report-uri [REMOVED]",
        "blocked-uri": "https://MYSUBDOMAIN.MYDOMAIN.it/img/icon_twitter_black.png",
        "line-number": 82
    }
}

{
    "csp-report": {
        "document-uri": "https://MYSUBDOMAIN.MYDOMAIN.it/results",
        "effective-directive": "style-src-elem",
        "original-policy": "default-src 'none'; object-src 'none'; script-src 'self' 'nonce-[removed]'; connect-src 'self' wss://MYSUBDOMAIN.MYDOMAIN.it; manifest-src 'self'; worker-src 'self'; style-src 'self'; font-src 'self'; img-src 'self' data:; base-uri 'self'; form-action 'self'; report-uri [REMOVED]",
        "blocked-uri": "https://MYSUBDOMAIN.MYDOMAIN.it/css/results.min.css",
        "line-number": 8
    }
}

大约有十个类似的报告(不同的图像和CSS文件,但报告结构相同),它们都来自Android上的Chrome。

我不明白为什么要发送所有这些报告:在每种情况下,相关政策都包含“ self”关键字。

我缺少明显的东西吗?

0 个答案:

没有答案
相关问题
最新问题