Dr.*_*OOM 6 python security flask
我想使用 Flask-talisman 来保护我的应用程序
\n\nSELF = \'\\\'self\\\'\'\ntalisman = Talisman(\n app,\n content_security_policy={\n \'default-src\': [\n \'https://fonts.googleapis.com\',\n \'https://cdnjs.cloudflare.com\',\n SELF\n ],\n \'img-src\': \'*\',\n \'script-src\': [\n \'www.paypal.com\',\n \'https://cdnjs.cloudflare.com\',\n \'https://cdnjs.cloudflare.com/ajax/libs/sweetalert/2.1.2/sweetalert.min.js\',\n SELF\n ],\n \'script-src-elem\': [\n SELF,\n \'https://cdnjs.cloudflare.com\',\n # \'\\\'sha256-rK9uOBOU6xGxNC0yyDvR8H+SSKlJ5zxJECCgbFv4/yQ=\\\'\',\n # \'\\\'sha256-CaM1VBFl4RtJZ9Br0nB80ZvFXnrUk3vr/4+pScd4lMQ=\\\'\',\n # \'\\\'sha256-BcYd5oXoLvDaktAA37B436mVSFB3DoC5aLwM1OorXAk=\\\'\',\n # \'\\\'sha256-V68+36l83hbDfO58E+T6u2tGJGhbcpAqCEfNCD3n2qY=\\\'\',\n \'www.paypal.com\',\n ],\n \'style-src\': [\n \'https://fonts.googleapis.com\',\n \'https://cdnjs.cloudflare.com\',\n \'https://cdnjs.cloudflare.com/ajax/libs/sweetalert/2.1.2/sweetalert.min.js\',\n SELF\n # \'\\\'sha256-AjpxHAnhAkbI3p301rAQ19y+QSGq2Jl7vv0Q7WzjR+c=\\\'\',\n # \'\\\'sha256-47DEQpj8HBSa+/TImW+5JCeuQeRkm5NMpJWZG3hSuFU=\\\'\',\n # \'\\\'sha256-Y5HGV3cmFL1QmdV9FMkQjm7MR7FR+stNxbf9+GKET60=\\\'\',\n # \'\\\'sha256-47DEQpj8HBSa+/TImW+5JCeuQeRkm5NMpJWZG3hSuFU=\\\'\',\n # \'\\\'sha256-lMuNwjy4Fw1In/+Nadl5ZPm5gAa4t2jbLUL/ybM9rzU=\\\'\',\n # \'\\\'sha256-lMuNwjy4Fw1In/+Nadl5ZPm5gAa4t2jbLUL/ybM9rzU=\\\'\',\n # \'\\\'sha256-7/kvZYAvW6o7J2rMfMbFOsaTsThj6/tBw+lPsMSniSA=\\\'\',\n # \'\\\'sha256-AjpxHAnhAkbI3p301rAQ19y+QSGq2Jl7vv0Q7WzjR+c=\\\'\',\n # \'\\\'sha256-AjpxHAnhAkbI3p301rAQ19y+QSGq2Jl7vv0Q7WzjR+c=\\\'\',\n # \'\\\'sha256-IF8jfWBSZfCEeoCvSHf23OXvf0RDYWltkvNrcEzpDBE=\\\'\',\n # \'\\\'sha256-AjpxHAnhAkbI3p301rAQ19y+QSGq2Jl7vv0Q7WzjR+c=\\\'\',\n # \'\\\'sha256-IF8jfWBSZfCEeoCvSHf23OXvf0RDYWltkvNrcEzpDBE=\\\'\',\n # \'\\\'sha256-AjpxHAnhAkbI3p301rAQ19y+QSGq2Jl7vv0Q7WzjR+c=\\\'\',\n # \'\\\'sha256-0rOxHPZ4bWknhNsyCN7zXu9gXxyWLKCvfWr1ZAuyzgY=\\\'\',\n # \'\\\'sha256-kg8NTQKmLiYaDjmboMwJGfasUnDZfDeIJ7aXV4r5BVc=\\\'\',\n # \'\\\'sha256-VPm872V2JvE+vhivDg7UeH+N9a9YzzqGGow5mzY48hc=\\\'\',\n # \'\\\'sha256-i/PynXyovXdKWqaHlhds+BOU5Iis84bZpECM9wKzq+U=\\\'\',\n # \'\\\'sha256-VPm872V2JvE+vhivDg7UeH+N9a9YzzqGGow5mzY48hc=\\\'\',\n # \'\\\'sha256-VPm872V2JvE+vhivDg7UeH+N9a9YzzqGGow5mzY48hc=\\\'\',\n # \'\\\'sha256-IVUmBkRCdvydC0Uh8tn6KMTNiZNvKrJOMResPyDMax8=\\\'\'\n ],\n \'style-src-elem\':[\n SELF,\n \'https://fonts.googleapis.com\',\n \'https://cdnjs.cloudflare.com\',\n \'https://cdnjs.cloudflare.com/ajax/libs/sweetalert/2.1.2/sweetalert.min.js\',\n # \'\\\'sha256-AjpxHAnhAkbI3p301rAQ19y+QSGq2Jl7vv0Q7WzjR+c=\\\'\',\n # \'\\\'sha256-47DEQpj8HBSa+/TImW+5JCeuQeRkm5NMpJWZG3hSuFU=\\\'\',\n # \'\\\'sha256-Y5HGV3cmFL1QmdV9FMkQjm7MR7FR+stNxbf9+GKET60=\\\'\',\n # \'\\\'sha256-47DEQpj8HBSa+/TImW+5JCeuQeRkm5NMpJWZG3hSuFU=\\\'\',\n # \'\\\'sha256-lMuNwjy4Fw1In/+Nadl5ZPm5gAa4t2jbLUL/ybM9rzU=\\\'\',\n # \'\\\'sha256-lMuNwjy4Fw1In/+Nadl5ZPm5gAa4t2jbLUL/ybM9rzU=\\\'\',\n # \'\\\'sha256-7/kvZYAvW6o7J2rMfMbFOsaTsThj6/tBw+lPsMSniSA=\\\'\',\n # \'\\\'sha256-AjpxHAnhAkbI3p301rAQ19y+QSGq2Jl7vv0Q7WzjR+c=\\\'\',\n # \'\\\'sha256-AjpxHAnhAkbI3p301rAQ19y+QSGq2Jl7vv0Q7WzjR+c=\\\'\',\n # \'\\\'sha256-IF8jfWBSZfCEeoCvSHf23OXvf0RDYWltkvNrcEzpDBE=\\\'\',\n # \'\\\'sha256-AjpxHAnhAkbI3p301rAQ19y+QSGq2Jl7vv0Q7WzjR+c=\\\'\',\n # \'\\\'sha256-IF8jfWBSZfCEeoCvSHf23OXvf0RDYWltkvNrcEzpDBE=\\\'\',\n # \'\\\'sha256-AjpxHAnhAkbI3p301rAQ19y+QSGq2Jl7vv0Q7WzjR+c=\\\'\',\n # \'\\\'sha256-0rOxHPZ4bWknhNsyCN7zXu9gXxyWLKCvfWr1ZAuyzgY=\\\'\',\n # \'\\\'sha256-kg8NTQKmLiYaDjmboMwJGfasUnDZfDeIJ7aXV4r5BVc=\\\'\',\n # \'\\\'sha256-VPm872V2JvE+vhivDg7UeH+N9a9YzzqGGow5mzY48hc=\\\'\',\n # \'\\\'sha256-i/PynXyovXdKWqaHlhds+BOU5Iis84bZpECM9wKzq+U=\\\'\',\n # \'\\\'sha256-VPm872V2JvE+vhivDg7UeH+N9a9YzzqGGow5mzY48hc=\\\'\',\n # \'\\\'sha256-VPm872V2JvE+vhivDg7UeH+N9a9YzzqGGow5mzY48hc=\\\'\',\n # \'\\\'sha256-IVUmBkRCdvydC0Uh8tn6KMTNiZNvKrJOMResPyDMax8=\\\'\'\n ],\n \'font-src\': \'*\',\n \'connect-src\':\'*\',\n \'frame-src\': \'www.sandbox.paypal.com\'\n },\n content_security_policy_nonce_in=[\'script-src\',\'style-src\',\'style-src-elem\',\'script-src-elem\',\'default-src\']\n)\n我总是收到一个错误,其中可以嵌入内联样式,因为它违反了 CSP。
\n\nRefused to apply inline style because it violates the following Content Security Policy directive: "style-src https://fonts.googleapis.com https://cdnjs.cloudflare.com https://cdnjs.cloudflare.com/ajax/libs/sweetalert/2.1.2/sweetalert.min.js \'self\' \'nonce-U3i4mzwI3bQdxarcYAcYUA\'". Either the \'unsafe-inline\' keyword, a hash (\'sha256-lMuNwjy4Fw1In/+Nadl5ZPm5gAa4t2jbLUL/ybM9rzU=\'), or a nonce (\'nonce-...\') is required to enable inline execution.\n我是否正确使用了哈希值?或者这是因为我将“SELF”列入白名单。根据https://www.merixstudio.com/blog/content-security-policy-flask-and-django-part-1/
\n\n请注意,当使用 \xe2\x80\x9cself\xe2\x80\x9d 策略时,内联脚本将被阻止,因为它们是将 JavaScript 代码注入网站的最常见方式。当然,可以使用不安全内联策略,但它\xe2\x80\x99更喜欢使用nonce或sha策略。
\n