【发布时间】:2017-09-05 05:45:41
【问题描述】:
目前我正在使用 NWebsec.AspNetCore.Middleware nuget 包来实现 CSP 标头。当简单地创建一个新的 ASP.NET Core 1.1 MVC 应用程序并如下修改启动时,仍然可以通过控制台注入脚本。我错过了什么?
public class Startup
{
public Startup(IHostingEnvironment env)
{
var builder = new ConfigurationBuilder()
.SetBasePath(env.ContentRootPath)
.AddJsonFile("appsettings.json", optional: false, reloadOnChange: true)
.AddJsonFile($"appsettings.{env.EnvironmentName}.json", optional: true)
.AddEnvironmentVariables();
Configuration = builder.Build();
}
public IConfigurationRoot Configuration { get; }
// This method gets called by the runtime. Use this method to add services to the container.
public void ConfigureServices(IServiceCollection services)
{
// Add framework services.
services.AddMvc();
}
// This method gets called by the runtime. Use this method to configure the HTTP request pipeline.
public void Configure(IApplicationBuilder app, IHostingEnvironment env, ILoggerFactory loggerFactory)
{
loggerFactory.AddConsole(Configuration.GetSection("Logging"));
loggerFactory.AddDebug();
if (env.IsDevelopment())
{
app.UseDeveloperExceptionPage();
app.UseBrowserLink();
}
else
{
app.UseExceptionHandler("/Home/Error");
}
app.UseStaticFiles();
app.UseMvc(routes =>
{
routes.MapRoute(
name: "default",
template: "{controller=Home}/{action=Index}/{id?}");
});
app.UseCsp(csp =>
{
csp.DefaultSources(src => src.Self());
});
}
}
其意图是将 CSP 安全设置为 Angular2 生成的静态文件 (WebPack)。但似乎没有应用 CSP。
【问题讨论】:
标签: c# angular content-security-policy asp.net-core-1.1