由于请求https://fonts.gstatic.com而导致通过Referrer-Policy跨站点的Referrer

时间:2019-09-18 15:02:51

标签: http https content-security-policy websecurity crlf-vulnerability

我想摆脱安全漏洞,即通过“引荐来源政策”来命名“跨站点引荐来源泄漏”。我该怎么办?通过Referrer-Policy进行跨站点的Referrer泄漏警告来自一个程序(Netsparker),该程序检查网站的安全漏洞。

我在chrome的dev工具的load sekerleasing.com.tr期间检查了所有网站。我检查了URL(https://fonts.gstatic.com/s/roboto/v20/KFOlCnqEu92Fr1MmWUlfChc4EsA.woff2)在降级时没有提供Refererer-when作为Refered-Policy。 多次更改内容安全政策,但未解决。 

  <httpProtocol>
  <customHeaders>
    <clear />
    <remove name="X-AspNetMvc-Version" />
    <remove name="X-Powered-By" />
    <!--<add name="X-Frame-Options" value="SAMEORIGIN"/>
    <add name="X-XSS-Protection" value="1; mode=block" />
    <add name="X-Content-Type-Options" value="nosniff" />
    <add name="Content-Security-Policy" value="style-src 'self' 'unsafe-inline' https://fonts.googleapis.com; font-src 'self'  'unsafe-inline'  https://fonts.gstatic.com data; script-src 'self'  'nonce-l20eZ8IGZX'   https://maps.googleapis.com ; "  />-->



<!-- SECURITY HEADERS - https://securityheaders.io/? -->
  <!-- Protects against Clickjacking attacks. ref.: http://stackoverflow.com/a/22105445/1233379 -->
  <add name="X-Frame-Options" value="SAMEORIGIN" />
  <!-- Protects against Clickjacking attacks. ref.: https://www.owasp.org/index.php/HTTP_Strict_Transport_Security_Cheat_Sheet -->
  <add name="Strict-Transport-Security" value="max-age=31536000; includeSubDomains"/>
  <!-- Protects against XSS injections. ref.: https://www.veracode.com/blog/2014/03/guidelines-for-setting-security-headers/ -->
  <add name="X-XSS-Protection" value="1; mode=block" />
  <!-- Protects against MIME-type confusion attack. ref.: https://www.veracode.com/blog/2014/03/guidelines-for-setting-security-headers/ -->
  <add name="X-Content-Type-Options" value="nosniff" />
  <!-- CSP modern XSS directive-based defence, used since 2014. ref.: http://content-security-policy.com/ -->
  <!-- <add name="Content-Security-Policy" value="default-src 'self'; font-src *;img-src * data:; script-src *; style-src *;" /> -->
  <add name="Content-Security-Policy" value="default-src 'self'; connect-src *; font-src *; frame-src *; img-src * data:; media-src *; object-src *; script-src * 'unsafe-inline' 'unsafe-eval'; style-src * 'unsafe-inline';" />

  <!-- Prevents from leaking referrer data over insecure connections. ref.: https://scotthelme.co.uk/a-new-security-header-referrer-policy/ -->
  <add name="Referrer-Policy" value="strict-origin" />

  </customHeaders>
</httpProtocol>

预期结果是没有泄漏,并且“引用策略”是严格起源的。这意味着摆脱“通过引荐来源政策进行跨站点引荐来源的泄漏”

实际结果如下

请求标头

请求网址:https://fonts.gstatic.com/s/roboto/v20/KFOlCnqEu92Fr1MmWUlfChc4EsA.woff2 请求方法:GET 状态码:200 远程地址:172.217.169.99:443 推荐人政策:降级时不推荐人

显示临时标题 来源:https://www.sekerleasing.com.tr 推荐人:https://fonts.googleapis.com/css?family=Roboto:100,100i,300,300i,400,400i,500,500i,700,700i,900,900i 安全提取模式:cors 用户代理:Mozilla / 5.0(Windows NT 10.0; Win64; x64)AppleWebKit / 537.36(KHTML,如Gecko)Chrome / 76.0.3809.132 Safari / 537.36

0 个答案:

没有答案
相关问题
最新问题