在 .htaccess 内容安全策略 (CSP) 中使用 nonce 时出错

tag-icon tag-icon .htaccess php
在 .htaccess 内容安全策略 (CSP) 中使用 nonce 时出错

我正在尝试使用 Content-Security-Policy nonce 但其产生了错误。

通过 console.log 的错误:

拒绝应用内联样式,因为它违反了以下内容安全策略指令:“default-src 'self'”。要启用内联执行,需要“unsafe-inline”关键字、哈希值(“sha256-eM7IckhPhRx5dBGXZhwsgAKulpq/euetK0YPweqUKX4='”)或随机数(“nonce-...”)。请注意,除非存在“unsafe-hashes”关键字,否则哈希值不适用于事件处理程序、样式属性和 javascript:导航。还要注意,‘style-src’没有明确设置,因此‘default-src’被用作后备。

我也尝试使用 mod_unique_id 而不是使用 PHP set env,但它会引发内部服务器错误。

我究竟做错了什么?

我的代码:

.htaccess

Options +FollowSymLinks
RewriteEngine On

<IfModule mod_headers.c>
FileETag None
Header unset ETag
Header set Cache-Control "max-age=0, no-cache, no-store, must-revalidate"
Header set Pragma "no-cache"
Header set Expires "Wed, 11 Jan 1984 05:00:00 GMT"
Header set Connection keep-alive
Header set X-XSS-Protection "1; mode=block"

SetEnv MY_CSP_NONCE "<?php echo $_SERVER['MY_CSP_NONCE']; ?>"

Header always set Content-Security-Policy "expr=default-src 'none'; script-src 'self' require-trusted-types-for 'script' https://www.googletagmanager.com https://www.facebook.com https://www.twitter.com https://www.instagram.com 'nonce-%{ENV:MY_CSP_NONCE}' 'strict-dynamic' 'wasm-eval' 'unsafe-eval'; script-src-elem 'self'; connect-src 'self'; img-src 'self' https://storage.googleapis.com data:; video-src 'self' https://storage.googleapis.com data:; style-src 'self' style-src-attr 'self' 'nonce-%{ENV:MY_CSP_NONCE}'; base-uri 'none'; object-src 'none'; frame-ancestors 'self'; frame-src 'self'; sandbox allow-same-origin allow-scripts allow-popups; media-src 'self'; worker-src 'self https://*.cloudflare.com'; manifest-src 'self'; child-src 'self'; prefetch-src 'self' https://storage.googleapis.com https://www.googletagmanager.com; form-action 'self' https://www.paystack.com; font-src 'self' data:; upgrade-insecure-requests"

Header set Feature-Policy "geolocation 'self'; vibrate 'none'"
Header always set Content-Security-Policy-Report-Only "default-src 'self'; report-uri https://www.example.com/csp-report-endpoint"
Header always set X-Frame-Options "sameorigin"
Header set X-Content-Type-Options "nosniff"
Header set Strict-Transport-Security "max-age=15552000; includeSubDomains; preload"
Header always set Cross-Origin-Opener-Policy "same-origin-allow-popups"
Header always set Cross-Origin-Resource-Policy "same-site"
SetEnvIf Referer "^https://storage.googleapis.com" CORP_EXEMPT
Header always set Cross-Origin-Embedder-Policy "require-same-origin"
Header always set Cross-Origin-Embedder-Policy "unsafe-none" env=CORP_EXEMPT
Header set Cross-Origin-Embedder-Policy "unsafe-none" "expr=%{REQUEST_URI} =~ m!\.(png|jpe?g|gif|svg|webp|avif|mp4|webm|m4a|ogv)$!"
</IfModule>

RewriteCond %{SCRIPT_FILENAME} !-d
RewriteCond %{SCRIPT_FILENAME} !-f

RewriteRule ^index$ ./index.php
RewriteRule ^about$ ./about.php

RewriteRule ^404$ ./404.php
RewriteRule ^500$ ./500.php

ErrorDocument 404 https://www.example.com/404

IndexIgnore *

我的 cookiesetter.php - 存储 nonce 的位置,以便包含在每个脚本中

  <?php 
  $nonce = rtrim(strtr(base64_encode(random_bytes(64)), '+/', '-_'), '=');
  putenv("MY_CSP_NONCE=$nonce");
  ?>

和 index.php

  <?php include "cookiesetter.php" ?>

  <html>
  <head>
  <title>Example</title>
  <style nonce="<?php echo $nonce ?>">
  bla bla bla
  </style>
  </head>

  <body>
  <script nonce="<?php echo $nonce ?>">
  bla bla bla
  </script>
  </body>
  </html>

相关内容