如何在spring security中使用哈希指定内容安全策略

js81xvg6  于 2021-09-29  发布在  Java
关注(0)|答案(0)|浏览(645)

我正在使用一个带有thymeleaf的JavaSpringBoot应用程序,我希望通过SpringSecurity中的内容安全策略保护我的应用程序不受非持久性xss的影响。现在,在我的前端,所有按钮都不起作用,因为我使用javascript对它们进行rest调用。下面是我的安全配置:

@Override
protected void configure(HttpSecurity http) throws Exception {

    http.requiresChannel().anyRequest().requiresSecure().and().authorizeRequests().antMatchers("/login","/css_general/**","/css_page_specific/**","/**/*.js","/**/*.css")
        .permitAll()
        .anyRequest()
        .authenticated()
        .and().formLogin(form -> form
            .loginPage("/login")
            .defaultSuccessUrl("/index.html")
            .failureUrl("/login?error=true")
        )
        .sessionManagement().invalidSessionUrl("/login")
        .and()
        .httpBasic()
       .and()
    .logout().logoutRequestMatcher(new AntPathRequestMatcher("/logout")).logoutSuccessUrl("/login").invalidateHttpSession(true).deleteCookies("JSESSIONID")
            .permitAll()
            .and()
            .cors().disable()
            .headers()
            .xssProtection()
            .and()
            .contentSecurityPolicy("default-src 'self'");

我得到以下信息:

Refused to apply inline style because it violates the following Content Security Policy directive: "default-src 'self'". Either the 'unsafe-inline' keyword, a hash ('sha256-bzTE78wYOlzPtHKiZ2sKJr4A09DavGERaFsjDU2pdq8='), or a nonce ('nonce-...') is required to enable inline execution. Note that hashes do not apply to event handlers, style attributes and javascript: navigations unless the 'unsafe-hashes' keyword is present. Note also that 'style-src' was not explicitly set, so 'default-src' is used as a fallback.

如果我使用scriptsrc,那么我看不到上面的错误,但是我仍然不能登录。我如何添加encryption/sha-256以使thymeleaf和页面上的后续内联脚本工作,但我仍然受到xss的保护?我希望两全其美:不受xss的影响,也不必对thymeleaf/myJavaScript进行更改。我是否需要创建一个执行sha-256的助手函数,并将该函数放入内容安全策略中?有人能举个例子吗?

暂无答案!

目前还没有任何答案,快来回答吧!

相关问题