我最近在我的网站上添加了CSP并开始对其进行测试(仅报告):除某些我无法理解的报告外,它看起来还可以。具体来说,我看到违反了“自我”指令应允许的资源。
服务器正在运行Express,并且通过helmet-csp提供CSP。我已经使用多种服务(例如https://csp-evaluator.withgoogle.com/)验证了CSP策略标头,并且结果正确无误。我正在使用report-uri.com来收集和分析CSP报告。
这是头盔csp设置:
app.use(csp({
directives: {
'default-src': ["'none'"],
'object-src': ["'none'"],
'script-src': ["'self'", (req, res) => `'nonce-${res.locals.nonce}'`],
'connect-src': ["'self'", (req, _res) => (req.protocol === 'http' ? 'ws://' : 'wss://') + req.get('host')],
'manifest-src': ["'self'"],
'worker-src': ["'self'"],
'style-src': ["'self'"],
'font-src': ["'self'"],
'img-src': ["'self'", 'data:'],
'base-uri': ["'self'"],
'form-action': ["'self'"],
'report-uri': '[REMOVED]'
},
reportOnly: true
}));
这是生成的CSP标头:
Content-Security-Policy-Report-Only: default-src 'none'; object-src 'none'; script-src 'self' 'nonce-[REMOVED]'; connect-src 'self' wss://MYSUBDOMAIN.MYDOMAIN.it; manifest-src 'self'; worker-src 'self'; style-src 'self'; font-src 'self'; img-src 'self' data:; base-uri 'self'; form-action 'self'; report-uri [REMOVED]
这些是报告的一些示例:
{
"csp-report": {
"document-uri": "https://MYSUBDOMAIN.MYDOMAIN.it/",
"effective-directive": "worker-src",
"original-policy": "default-src 'none'; object-src 'none'; script-src 'self' 'nonce-[removed]'; connect-src 'self' wss://MYSUBDOMAIN.MYDOMAIN.it; manifest-src 'self'; worker-src 'self'; style-src 'self'; font-src 'self'; img-src 'self' data:; base-uri 'self'; form-action 'self'; report-uri [REMOVED]",
"blocked-uri": "https://MYSUBDOMAIN.MYDOMAIN.it/notification-worker.js",
"line-number": 1,
"column-number": 1966,
"source-file": "https://MYSUBDOMAIN.MYDOMAIN.it/js/index.min.js"
}
}
{
"csp-report": {
"document-uri": "https://MYSUBDOMAIN.MYDOMAIN.it/results",
"effective-directive": "img-src",
"original-policy": "default-src 'none'; object-src 'none'; script-src 'self' 'nonce-[removed]'; connect-src 'self' wss://MYSUBDOMAIN.MYDOMAIN.it; manifest-src 'self'; worker-src 'self'; style-src 'self'; font-src 'self'; img-src 'self' data:; base-uri 'self'; form-action 'self'; report-uri [REMOVED]",
"blocked-uri": "https://MYSUBDOMAIN.MYDOMAIN.it/img/icon_twitter_black.png",
"line-number": 82
}
}
{
"csp-report": {
"document-uri": "https://MYSUBDOMAIN.MYDOMAIN.it/results",
"effective-directive": "style-src-elem",
"original-policy": "default-src 'none'; object-src 'none'; script-src 'self' 'nonce-[removed]'; connect-src 'self' wss://MYSUBDOMAIN.MYDOMAIN.it; manifest-src 'self'; worker-src 'self'; style-src 'self'; font-src 'self'; img-src 'self' data:; base-uri 'self'; form-action 'self'; report-uri [REMOVED]",
"blocked-uri": "https://MYSUBDOMAIN.MYDOMAIN.it/css/results.min.css",
"line-number": 8
}
}
[大约有十个类似的报告(不同的图像和CSS文件,但报告结构相同),它们都来自Android上的Chrome。
我不明白为什么要发送所有这些报告:在每种情况下,相关策略都包含'self'关键字。
我缺少明显的东西吗?
如果您尚未找到解决方案,请参考以下答案。 Does a *.example.com for a content security policy header also match example.com?