本文介绍了自定义Web表单脚本生成的处理方法,对大家解决问题具有一定的参考价值,需要的朋友们下面随着小编来一起学习吧!

问题描述

好的,是的,现在是2020年,但不要笑.我正在尝试更新一些ASP.NET Web表单.我的目标是锁定它们,通过应用限制性更强的内容安全策略(CSP)使它们更安全.为此,我使用的是随机数,而不是允许 unsafe-inline 进行脚本编写.

Ok, yes, it's 2020 but don't laugh. I'm trying update some ASP.NET web forms. My goal is to lock them down, making them more secure by applying a more restrictive Content Security Policy (CSP). To that end, I'm using a nonce, rather than allowing unsafe-inline for scripting.

对于简单"网络表单,效果很好.但是,只要有ASP控件导致回发,我就会遇到问题.当我查看页面源代码时,会看到类似以下内容:

For "simple" web forms, it's working fine. However, I hit a problem whenever there's an ASP control that results in a post back. When I look in the page source, I see stuff like this:

<script type="text/javascript">
//<![CDATA[
var theForm = document.forms['form1'];
if (!theForm) {
    theForm = document.form1;
}
function __doPostBack(eventTarget, eventArgument) {
    if (!theForm.onsubmit || (theForm.onsubmit() != false)) {
        theForm.__EVENTTARGET.value = eventTarget;
        theForm.__EVENTARGUMENT.value = eventArgument;
        theForm.submit();
    }
}

<script type="text/javascript">
    function previewFile() {
        var preview = document.querySelector('#Body_Main_LogoImage');
        var file = document.querySelector('#Body_Main_logoUpload').files[0];
        var reader = new FileReader();

        reader.onloadend = function () {
            preview.src = reader.result;
        }

        if (file) {
            reader.readAsDataURL(file);
        } else {
            preview.src = "";
        }
    }
</script>

我相信,此代码是由某些MS Web表单代码生成的.问题在于这些脚本元素都没有一个随机数,我想提供一个随机数,因此它违反了我的CSP(不包括 unsafe-inline ).有什么我可以改写来自定义此行为的东西吗?

This code is generated by some of the MS web form code, I believe. The problem is that neither of these script elements have a nonce, which I'd like to supply, so it is in violation of my CSP (which does not include unsafe-inline). Is there anything I can override to customize this behaviour?

推荐答案

某些令人反感的代码是在 Page 类内的私有方法(例如 RenderPostBackScript )中定义的,然后由内部方法调用.因此,除非我替换了大量代码,否则以常规方式覆盖它不是一种选择.作为替代方案,我在页面中覆盖了 CreateHtmlTextWriter :

Some of the offending code is defined in a private method (e.g. RenderPostBackScript) inside the Page class, which in turn is called by internal methods. So, overriding it the normal way isn't an option unless I replace a large bunch of code. As an alternative, I overrode CreateHtmlTextWriter in my page:

protected override System.Web.UI.HtmlTextWriter CreateHtmlTextWriter(TextWriter tw)
{
    return new HtmlTextWriter(tw, this);
}

,然后在我的 HtmlWriter 类中,执行以下操作:

and then in my HtmlWriter class, I do this:

public override void Write(string s)
{
    if (s != null && s.IndexOf("<script") > -1 && s.IndexOf("nonce") == -1 && s.IndexOf("src") == -1)
    {
        s = s.Replace("<script", "<script nonce=\"" + this._page.GetNonce() + "\"");
    }
    base.Write(s);
}

我在 HtmlTextWriter 中为 AddAttribute 使用了类似的方法,以避免在 href 内联内联 javascript:将需要 script-src 使用 unsafe-inline (并禁止使用随机数).

I used a similar approach in my HtmlTextWriter for AddAttribute to avoid inline javascript: inside href, which would required unsafe-inline for script-src (and preclude the use of a nonce).

public override void AddAttribute(HtmlTextWriterAttribute key, string value)
{
    if (key == HtmlTextWriterAttribute.Href && value != null && value.IndexOf("javascript:") > -1)
    {
        base.AddAttribute(key, "#");
        var newScript = value.Replace("javascript:", "");
        newScript += "; return false;";
        base.AddAttribute(HtmlTextWriterAttribute.Onclick, newScript);
    }
    else
    {
        base.AddAttribute(key, value);
    }
}

这篇关于自定义Web表单脚本生成的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持!

07-05 07:45