1. 首頁
  2. 問答
  3. CSP:多個谷歌uris和null?

CSP:多個谷歌uris和null?

2017-06-01 96 views
1

我們最近開始使用內容安全策略,但仍然存在很多問題。CSP:多個谷歌uris和null?

1.封鎖谷歌URIs
很多谷歌URIs被阻止了不同的指令。例如:

"csp-report": { 
    "blocked-uri": "https://www.google.co.za", 
    "document-uri": "https://de.our-project.com/", 
    "original-policy": "default-src https://de.our-project.com; script-src https://de.our-project.com data: https://*.our-project-test.com https://*.our-project.com https://*.our-project-stage.com https://s.yimg.jp https://www.google.co.jp https://p.dr.adingo.jp https://ajax.googleapis.com https://api.sovendus.com https://s.yjtag.jp https://data1.allo-pages.fr https://data1.mes-resultats.com https://*.yahoo.co.jp https://api.gutscheinconnection.de https://cdn.our-project-stage.com https://cdn.our-project.com http://www.googletagmanager.com https://www.googletagmanager.com https://www.google-analytics.com https://maps-api-ssl.google.com https://maps.googleapis.com https://www.googleadservices.com https://*.justuno.com http://connect.facebook.net https://connect.facebook.net https://pippio.com http://cdn.rawgit.com http://d.ratepay.com 'unsafe-inline' 'unsafe-eval'; style-src https://de.our-project.com https://*.our-project.com https://*.our-project-test.com https://www.sovendus.com https://cdn.our-project-stage.com https://cdn.our-project.com https://fast.fonts.net https://fonts.googleapis.com 'unsafe-inline'; img-src https://de.our-project.com data: https://*.our-project.com http://*.test.com https://*.test.com https://*.our-project-test.com https://www.google.com.co https://www.google.lt https://www.google.nl https://www.google.com.ua https://www.google.co.jp https://www.google.es https://www.google.co.uk https://www.google.dk https://www.google.co.il https://www.google.cz https://www.gstatic.com https://tap.rubiconproject.com https://sync.adap.tv https://d.agkn.com https://rudy.adsnative.com https://www.googletagmanager.com https://*.sovendus.com https://gum.criterio.com https://wam.solution.weborama.fr https://pippio.com https://load.s3.amazonaws.com http://test-admin.devnet.nil https://a248.e.akamai.net https://er.criteo.com https://ibeu2.mookie1.com https://tags.bluekai.com https://s.thebrighttag.com https://elr.sfr.fr https://traffic.outbrain.com https://ext.ligatus.com http://www.seur.com https://*.rlcdn.com https://www.google.ie https://www.google.fr https://cdn.our-project-stage.com https://cdn.our-project.com http://pim.test.com https://admin.our-project-stage.com https://admin.our-project.com https://pim-cdn.test.com http://pim-cdn.test.com https://cms-cdn.test.com http://test.preview.denkwerk.com https://www.facebook.com https://maps.googleapis.com https://maps-api-ssl.google.com https://googleads.g.doubleclick.net https://www.google-analytics.com https://www.google.de https://www.google.com https://stats.g.doubleclick.net https://csi.gstatic.com https://maps.gstatic.com http://aa.agkn.com https://aa.agkn.com http://login.dotomi.com https://login.dotomi.com http://emailretargeting.com https://emailretargeting.com https://p-eu.acxiom-online.com http://global.ib-ibi.com https://global.ib-ibi.com http://loadus.exelator.com https://loadus.exelator.com http://i.liadm.com https://i.liadm.com http://rc.rlcdn.com https://cm.g.doubleclick.net https://secure.insightexpressai.com https://e.nexac.com https://stags.bluekai.com https://pm.w55c.net https://um.simpli.fi https://dt-secure.videohub.tv https://c.bing.com https://b97.yahoo.co.jp; font-src https://de.our-project.com data: https://cdn.our-project-stage.com https://cdn.our-project.com https://fonts.gstatic.com 'unsafe-inline' 'unsafe-eval'; connect-src https://de.our-project.com https://profile.justuno.com https://www.justuno.com https://profilebak.justuno.com http://d.ratepay.com; media-src https://de.our-project.com; object-src https://de.our-project.com https://d.ratepay.com; child-src https://de.our-project.com https://bid.g.doubleclick.net https://www.youtube.com https://www.justuno.com; frame-src https://de.our-project.com https://bid.g.doubleclick.net https://www.youtube.com https://www.justuno.com; frame-ancestors https://de.our-project.com ; form-action https://de.our-project.com https://www.computop-paygate.com https://*.paypal.com https://www.sandbox.paypal.com; manifest-src https://de.our-project.com;", 
    "referrer": "https://de.our-project.com/", 
    "violated-directive": "img-src https://de.our-project.com data: https://*.our-project.com http://*.test.com https://*.test.com https://*.our-project-test.com https://www.google.com.co https://www.google.lt https://www.google.nl https://www.google.com.ua https://www.google.co.jp https://www.google.es https://www.google.co.uk https://www.google.dk https://www.google.co.il https://www.google.cz https://www.gstatic.com https://tap.rubiconproject.com https://sync.adap.tv https://d.agkn.com https://rudy.adsnative.com https://www.googletagmanager.com https://*.sovendus.com https://gum.criterio.com https://wam.solution.weborama.fr https://pippio.com https://load.s3.amazonaws.com http://test-admin.devnet.nil https://a248.e.akamai.net https://er.criteo.com https://ibeu2.mookie1.com https://tags.bluekai.com https://s.thebrighttag.com https://elr.sfr.fr https://traffic.outbrain.com https://ext.ligatus.com http://www.seur.com https://*.rlcdn.com https://www.google.ie https://www.google.fr https://cdn.our-project-stage.com https://cdn.our-project.com http://pim.test.com https://admin.our-project-stage.com https://admin.our-project.com https://pim-cdn.test.com http://pim-cdn.test.com https://cms-cdn.test.com http://test.preview.denkwerk.com https://www.facebook.com https://maps.googleapis.com https://maps-api-ssl.google.com https://googleads.g.doubleclick.net https://www.google-analytics.com https://www.google.de https://www.google.com https://stats.g.doubleclick.net https://csi.gstatic.com https://maps.gstatic.com http://aa.agkn.com https://aa.agkn.com http://login.dotomi.com https://login.dotomi.com http://emailretargeting.com https://emailretargeting.com https://p-eu.acxiom-online.com http://global.ib-ibi.com https://global.ib-ibi.com http://loadus.exelator.com https://loadus.exelator.com http://i.liadm.com https://i.liadm.com http://rc.rlcdn.com https://cm.g.doubleclick.net https://secure.insightexpressai.com https://e.nexac.com https://stags.bluekai.com https://pm.w55c.net https://um.simpli.fi https://dt-secure.videohub.tv https://c.bing.com https://b97.yahoo.co.jp" 
}

但我們甚至沒有在我們的網站這個URI。對於很多其他谷歌URIs也是如此。
是否有人知道我們爲什麼會遇到這些違規行爲以及如何解決這些違規行爲?

2.封鎖-URI:空
有很多的

"blocked-uri": "null"

部分在我們的違規記錄。它始終是font-src指令,它會對此採取措施。
我讀過關於它是空的,但找不到關於「null」的任何內容。
有人可以向我解釋這是怎麼發生的?

編輯

我讀過多一些到現在,它似乎像谷歌AdWords和分析(?)是我的第一個問題的原因。

解決方案是:
要麼添加的所有200個左右的Google域名註冊到您的CSP或允許所有圖像源(或至少特別的協議)

要我的第二個問題:
這似乎是「空「替換了空的字符串。但是我發現的所有內容都是關於違反script-src指令的,這或者意味着報告是關於內聯javascript或eval()函數的。
因爲違反了font-src指令,所以我不這樣做。

如果我找到新的東西,我會再次編輯該帖子。

來源

2017-06-01 Andoril

+0

雖然我認爲這是關於主題的一個問題,但您也可以嘗試在[Security SE](https://security.stackexchange.com/)中提問,以便可能邀請更多的答案。 –

回答

0

實測溶液自己:

1.阻斷谷歌的URI
要麼添加ALL 200左右Google網域到您的CSP或允許所有的圖像源(或至少是特定的協議)

2. blocked-uri:null,違反指令:font-src 好像瀏覽器擴展會導致此錯誤。即最後通道。我們嘗試了它,在登錄時CSP拋出了違規。

希望這可以幫助一些人在未來。

來源

2017-06-09 13:04:45 Andoril

相關問題

 相關問題