%20sha256%20%E4%B8%8D%E5%8C%B9%E9%85%8D%EF%BC%8C%E4%BD%86%E5%9C%A8%20Chrome%2075.x%20%E4%B8%AD%E8%BF%90%E8%A1%8C%E6%AD%A3%E5%B8%B8.png)
我正在尝试在我的网站上设置非常严格的内容安全策略(CSP),如下所示:
base-uri 'self';script-src 'self' 'unsafe-inline' 'unsafe-eval' 'report-sample' https: http: 'sha256-lfXlPY3+MCPOPb4mrw1Y961+745U3WlDQVcOXdchSQc=' 'sha256-rRMdkshZyJlCmDX27XnL7g3zXaxv7ei6Sg+yt4R3svU=' 'nonce-[CSP-NONCE]' 'Strict-Dynamic' 'unsafe-hashes';frame-src 'self';object-src 'none';report-uri /report-csp;
但我发现,在Chrome/74.0.3729.169中,与sha256-lfXlPY3+MCPOPb4mrw1Y961+745U3WlDQVcOXdchSQc=脚本“javascript:;”不匹配。
我知道它在 Chrome/75.x 上运行良好
Chrome/74.0.3729.169 的报告如下:
{"csp-report":{"document-uri":"https://xxx.xxx.com/","referrer":"https://xxx.xxx.com/","violated-directive":"script-src-elem","effective-directive":"script-src-elem","original-policy":"base-uri 'self';script-src 'self' 'unsafe-inline' 'unsafe-eval' 'report-sample' https: http: 'sha256-lfXlPY3+MCPOPb4mrw1Y961+745U3WlDQVcOXdchSQc=' 'sha256-rRMdkshZyJlCmDX27XnL7g3zXaxv7ei6Sg+yt4R3svU=' 'nonce-ICXBmlKCIhrG35lflJLb' 'Strict-Dynamic' 'unsafe-hashes';frame-src 'self';object-src 'none';report-uri /report-csp;","disposition":"report","blocked-uri":"inline","line-number":1,"source-file":"https://xxx.xxx.com/","status-code":0,"script-sample":"javascript:;"}}
这是 Chrom 74.x 中的一个错误吗?
值得一提的是,该策略中的另一个哈希值在 Chrome 74.x 和 Chrome 75.x 中均有效。('sha256-rRMdkshZyJlCmDX27XnL7g3zXaxv7ei6Sg+yt4R3svU=' means 'javascript:void(0)')
浏览器的用户代理是:
user-agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36 –