Content-Security-Policy for webapp in iframe

Content-Security-Policy for webapp in iframe

本文关键字:iframe in webapp for Content-Security-Policy      更新时间:2023-09-26

我有一个webapp(myApp - 用Spring Boot和Vaadin开发)。Web 应用程序将部署到 Tomcat 服务器:http://tomcatserver:8080/myApp

现在我想在 iframe 中显示 Web 应用程序,如下所示:

<iframe src="//tomcatserver:8080/myApp"></iframe>

现在的一个要求是,iframe应该只适用于实现iframe的域的白名单。所以我有一个网络服务器 http://myWebserver:8081 它在<iframe>内部有一个index.html

Web 应用程序在春季WebSecurityConfigureAdapter生成以下内容:

http.csrf().disable();  // Requirement: DTEUTARIF-111
http.headers()
        .frameOptions().disable()
        .and()
        .headers().contentTypeOptions()
        .and()
        .xssProtection()
        .and()
        .httpStrictTransportSecurity()
        .and()
        .addHeaderWriter(
                new StaticHeadersWriter(
                        "Content-Security-Policy",
                        "default-src 'self';" + 
                            "child-src 'self' http://myWebserver:8081;" +
                            "script-src 'self' http://myWebserver:8081;" +
                            "style-src 'self' http://myWebserver:8081;" +
                            "connect-src 'self' http://myWebserver:8081;" +
                            "font-src 'self' http://myWebserver:8081;" +
                            "object-src 'self' http://myWebserver:8081;"
                        )
                );

但我总是得到这个:

angular.js:3543 Refused to apply inline style because it violates the following Content Security Policy directive: "style-src 'self' http://myWebserver:8081". Either the 'unsafe-inline' keyword, a hash ('sha256-1PxuDsPyGK6n+LZsMv0gG4lMX3i3XigG6h0CzPIjwrE='), or a nonce ('nonce-...') is required to enable inline execution.

"脚本源"也是如此。

我不知道 100%,但是当我将'unsafe-inline'添加到 script-srcstyle-src 时,iframe 对每个域都是开放的。

我做错了什么?可能吗?

为了获得成功的解决方案,我替换了:

new StaticHeadersWriter(
                        "Content-Security-Policy",
                        "default-src 'self';" + 
                            "child-src 'self' http://myWebserver:8081;" +
                            "script-src 'self' http://myWebserver:8081;" +
                            "style-src 'self' http://myWebserver:8081;" +
                            "connect-src 'self' http://myWebserver:8081;" +
                            "font-src 'self' http://myWebserver:8081;" +
                            "object-src 'self' http://myWebserver:8081;"
                        )


new StaticHeadersWriter("Content-Security-Policy",
                        "frame-ancestors 'self' http://myWebserver:8081")
相关文章: