Microsoft Edge不接受内容安全策略的哈希

Question

问题

Content-Security-Policy应该默认将脚本和样式解析列入黑名单,并根据各种指令允许它,其中一个指令被验证为预期输出的散列.浏览器必须无法实现任何未提前匹配哈希的Javascript或CSS.具有匹配哈希的代码应该正常执行.Microsoft Edge拒绝所有JS/CSS页内阻止.

• 说明访问Microsoft Edge中的以下实时演示链接,以及任何其他浏览器.

• 现场演示: http ://output.jsbin.com/biqidoqebu

演示原始源代码

<!doctype html>
<html>
<head>
<meta charset="utf-8" />
<meta http-equiv="Content-Security-Policy" content="default-src 'self'; style-src 'sha256-JtUhvM7uQO2KX5IEGWxN+rhEyzzsyFelfO2gXvYEuWA='; script-src https://ajax.googleapis.com 'sha256-iZzrsbzuGxfOaTdnB/E6RQBssyXQRp7W8YtZD2Wg/Rc=';" />
<meta http-equiv="X-Content-Security-Policy" content="default-src 'self'; style-src 'sha256-JtUhvM7uQO2KX5IEGWxN+rhEyzzsyFelfO2gXvYEuWA='; script-src https://ajax.googleapis.com 'sha256-iZzrsbzuGxfOaTdnB/E6RQBssyXQRp7W8YtZD2Wg/Rc=';" />
<style>#loading{color:transparent}#loading:after{color:green;content:"Style loaded."}</style>
</head>
<body>
<span id="loading">Hashes loading...</span>
<script src="https://ajax.googleapis.com/ajax/libs/jquery/2.1.4/jquery.min.js"></script>
<script>alert("Script loaded.")</script>

• 预期的行为:正文应该更改为"Style loaded.",一个警告框应该说"Script loaded.",外部Javascript不应该抛出错误.控制台显示没有问题.
• 实际行为:身体卡在"哈希加载......"上.哈希拒绝,外部Javascript接受.控制台显示错误:

CSP14304: Unknown source ‘'sha256-JtUhvM7uQO2KX5IEGWxN+rhEyzzsyFelfO2gXvYEuWA='’ for directive ‘style-src’ in - source will be ignored.

CSP14306: No sources given for directive ‘style-src’ for - this is equivalent to using ‘none’ and will prevent the downloading of all resources of this type.

CSP14304: Unknown source ‘'sha256-iZzrsbzuGxfOaTdnB/E6RQBssyXQRp7W8YtZD2Wg/Rc='’ for directive ‘script-src’ in - source will be ignored.

CSP14312: Resource violated directive ‘style-src 'sha256-JtUhvM7uQO2KX5IEGWxN+rhEyzzsyFelfO2gXvYEuWA='’ in : inline style. Resource will be blocked.

CSP14312: Resource violated directive ‘script-src LINK-REMOVED-INSUFFICIENT-REPUTATION-ON-STACKOVERFLOW-SHOULD-BE-THE-GOOGLE-API-URL 'sha256-iZzrsbzuGxfOaTdnB/E6RQBssyXQRp7W8YtZD2Wg/Rc='’ in : inline script. Resource will be blocked.

尝试修复

• 验证哈希是否正确:双重检查计算是二进制的,就是它.没什么可做的,其他浏览器都接受它们.
• 改变的值的default-src和connect-src来self,而不是none

我想不出别的想法.

24小时后更新:添加了X-Content-Security-Policy以更新完整性和JSBin URL,但它对这种特殊情况没有任何影响.

Answer 1

编辑:这可能是不正确的.见上面的评论.

IE 11不支持Content-Security-Policy(仅X-Content-Security-Policy),此操作失败.IE 12支持CSP,但没有grok nonces/hashes,它关闭失败...除非你还提供'unsafe-inline'了一个Content-Security-Policy标题.

CSP级别2表示"如果提供了散列或随机数,则忽略'unsafe-inline'." 这是为了向后兼容,因为旧的浏览器会弄乱'unsafe-inline'而不是nonce/hashes.见http://www.w3.org/TR/CSP2/#directive-script-src