Comment corriger les erreurs CSP ? "L'exécution du gestionnaire d'événements en ligne est refusée car elle viole la directive de politique de sécurité du contenu suivante..."

Question

我在 script-src 中添加随机数值时收到 CSP 错误。 这是我正在设置的 CSP - 内容安全策略：默认 src '无'； script-src 'self' '不安全评估' 'nonce-b1967a39a02f45edbac95cbb4651bd12' '不安全哈希'; frame-src 'self' 'nonce-b1967a39a02f45edbac95cbb4651bd12' '不安全哈希';连接-src'自我'； img-src“自身”数据：； style-src 'self' '不安全内联';对象-src'自我'； font-src'自身'数据：;

我的JS文件内容是-

<html dir=&quot;ltr&quot;>
<head>
<meta http-equiv=&quot;Content-Type&quot; content=&quot;text/html; charset=utf-8&quot; />
<title> WebHelp Navigation Toolbar </title>



<style>
<!--
body {margin:0;}
-->
</style>
<script nonce='b1967a39a02f45edbac95cbb4651bd12'  src=&quot;whver.js&quot; charset=&quot;utf-8&quot;></script>
<script nonce='b1967a39a02f45edbac95cbb4651bd12'  src=&quot;whutils.js&quot; charset=&quot;utf-8&quot;></script>
<script nonce='b1967a39a02f45edbac95cbb4651bd12'  src=&quot;whmsg.js&quot; charset=&quot;utf-8&quot;></script>
<script nonce='b1967a39a02f45edbac95cbb4651bd12'  src=&quot;whproxy.js&quot; charset=&quot;utf-8&quot;></script>
<script nonce='b1967a39a02f45edbac95cbb4651bd12'  src=&quot;whmozemu.js&quot; charset=&quot;utf-8&quot;></script>
<script nonce='b1967a39a02f45edbac95cbb4651bd12'  src=&quot;whtbar.js&quot; charset=&quot;utf-8&quot;></script>

<script nonce='b1967a39a02f45edbac95cbb4651bd12' type=&quot;text/javascript&quot; language=&quot;JavaScript1.2&quot;>
//<![CDATA[
function printTopic() {
var topicPane;
if (top.frames[0].name == &quot;ContentFrame&quot;)
topicPane = top.frames[0].frames[1].frames[1];
else
topicPane = top.frames[1].frames[1];
topicPane.focus();
var msg = new whMessage(WH_MSG_PRINT, 0, 0);
                notify(msg);
}


//]]>
</script>
</head>
<body marginheight=&quot;0&quot;  marginwidth=&quot;0&quot;  bgcolor=&quot;#363f48&quot;    background=&quot;background.png&quot;  scroll=&quot;no&quot;>
<script nonce='b1967a39a02f45edbac95cbb4651bd12' language=&quot;javascript1.2&quot;>
<!--
if (window.gbWhTBar)
{
    setButtonFont(&quot;toc&quot;,&quot;Arial&quot;,&quot;11pt&quot;,&quot;#a7abaf&quot;,&quot;Normal&quot;,&quot;Normal&quot;,&quot;none&quot;);
setButtonFont(&quot;toc&quot;,&quot;Arial&quot;,&quot;11pt&quot;,&quot;White&quot;,&quot;Normal&quot;,&quot;Normal&quot;,&quot;none&quot;, true);
setButtonFont(&quot;idx&quot;,&quot;Arial&quot;,&quot;11pt&quot;,&quot;#a7abaf&quot;,&quot;Normal&quot;,&quot;Normal&quot;,&quot;none&quot;);
setButtonFont(&quot;idx&quot;,&quot;Arial&quot;,&quot;11pt&quot;,&quot;White&quot;,&quot;Normal&quot;,&quot;Normal&quot;,&quot;none&quot;, true);
setButtonFont(&quot;fts&quot;,&quot;Arial&quot;,&quot;11pt&quot;,&quot;#a7abaf&quot;,&quot;Normal&quot;,&quot;Normal&quot;,&quot;none&quot;);
setButtonFont(&quot;fts&quot;,&quot;Arial&quot;,&quot;11pt&quot;,&quot;White&quot;,&quot;Normal&quot;,&quot;Normal&quot;,&quot;none&quot;, true);
setButtonFont(&quot;glo&quot;,&quot;Arial&quot;,&quot;11pt&quot;,&quot;#a7abaf&quot;,&quot;Normal&quot;,&quot;Normal&quot;,&quot;none&quot;);
setButtonFont(&quot;glo&quot;,&quot;Arial&quot;,&quot;11pt&quot;,&quot;White&quot;,&quot;Normal&quot;,&quot;Normal&quot;,&quot;none&quot;, true);
setButtonFont(&quot;searchform&quot;,&quot;Arial&quot;,&quot;11pt&quot;,&quot;#a7abaf&quot;,&quot;Normal&quot;,&quot;Normal&quot;,&quot;none&quot;);
setButtonFont(&quot;searchform&quot;,&quot;&quot;,&quot;&quot;,&quot;&quot;,&quot;&quot;,&quot;&quot;,&quot;&quot;, true);
setButtonFont(&quot;banner&quot;,&quot;&quot;,&quot;&quot;,&quot;&quot;,&quot;&quot;,&quot;&quot;,&quot;&quot;);
setButtonFont(&quot;banner&quot;,&quot;&quot;,&quot;&quot;,&quot;&quot;,&quot;&quot;,&quot;&quot;,&quot;&quot;, true);
setButtonFont(&quot;custom15160&quot;,&quot;Arial&quot;,&quot;11pt&quot;,&quot;#a7abaf&quot;,&quot;Normal&quot;,&quot;Normal&quot;,&quot;none&quot;);
setButtonFont(&quot;custom15160&quot;,&quot;Arial&quot;,&quot;11pt&quot;,&quot;White&quot;,&quot;Normal&quot;,&quot;Normal&quot;,&quot;none&quot;, true);

    gsIToc = &quot;wht_toc_n.gif&quot;;
    gsITocS = &quot;wht_toc_h.gif&quot;;
    gsIIndex = &quot;wht_idx_n.gif&quot;;
    gsIIndexS = &quot;wht_idx_h.gif&quot;;
    gsISearch = &quot;wht_fts_n.gif&quot;;
    gsISearchS = &quot;wht_fts_h.gif&quot;;
    gsIGlossary = &quot;wht_glo_n.gif&quot;;
    gsIGlossaryS = &quot;wht_glo_h.gif&quot;;
    gsIWebSearch = &quot;wht_ws.gif&quot;;
    gsIWebSearchD = &quot;wht_ws_g.gif&quot;;
    gsIBanner = &quot;wht_logo1.gif&quot;;
    gsIGo = &quot;wht_go.gif&quot;;
    setBackgroundcolor(&quot;#363f48&quot;);
    setBackground(&quot;background.png&quot;);
    setAlignment(&quot;left&quot;);
    setGoImage(&quot;search-input-go.png&quot;);
    
    if (!gsBgImage)
    {
    setButtonBgColor(&quot;toc&quot;, gsBgColor);
    setButtonBgColor(&quot;idx&quot;, gsBgColor);
    setButtonBgColor(&quot;fts&quot;, gsBgColor);
    setButtonBgColor(&quot;glo&quot;, gsBgColor);
    setButtonBgColor(&quot;toc&quot;, gsTBSelectedBgColor, true);
    setButtonBgColor(&quot;idx&quot;, gsTBSelectedBgColor, true);
    setButtonBgColor(&quot;fts&quot;, gsTBSelectedBgColor, true);
    setButtonBgColor(&quot;glo&quot;, gsTBSelectedBgColor, true);
    setButtonBgColor(&quot;toc&quot;,&quot;#363f48&quot;);
setButtonBgColor(&quot;idx&quot;,&quot;#363f48&quot;);
setButtonBgColor(&quot;fts&quot;,&quot;#363f48&quot;);
setButtonBgColor(&quot;glo&quot;,&quot;#363f48&quot;);
setButtonBgColor(&quot;searchform&quot;,&quot;&quot;);
setButtonBgColor(&quot;banner&quot;,&quot;&quot;);
setButtonBgColor(&quot;custom15160&quot;,&quot;#363f48&quot;);

    }
    setButtonBgColor(&quot;toc&quot;,&quot;#363f48&quot;, true);
setButtonBgColor(&quot;idx&quot;,&quot;#363f48&quot;, true);
setButtonBgColor(&quot;fts&quot;,&quot;#363f48&quot;, true);
setButtonBgColor(&quot;glo&quot;,&quot;#363f48&quot;, true);
setButtonBgColor(&quot;searchform&quot;,&quot;&quot;, true);
setButtonBgColor(&quot;banner&quot;,&quot;&quot;, true);
setButtonBgColor(&quot;custom15160&quot;,&quot;#363f48&quot;, true);

    addButton(&quot;toc&quot;,BTN_TEXT|BTN_IMG,&quot;Contents&quot;,&quot;&quot;,&quot;&quot;,&quot;&quot;,&quot;&quot;,0,0,&quot;contents-unselected.png&quot;,&quot;contents-selected.png&quot;,&quot;&quot;,&quot;contents-selected.png&quot;,&quot;&quot;,&quot;&quot;);
addButton(&quot;fts&quot;,BTN_TEXT|BTN_IMG,&quot;Search&quot;,&quot;&quot;,&quot;&quot;,&quot;&quot;,&quot;&quot;,0,0,&quot;search-unselected.png&quot;,&quot;search-selected.png&quot;,&quot;&quot;,&quot;search-selected.png&quot;,&quot;&quot;,&quot;&quot;);
addButton(&quot;searchform&quot;,BTN_TEXT,&quot;&quot;,&quot;&quot;,&quot;&quot;,&quot;&quot;,&quot;&quot;,0,0,&quot;&quot;,&quot;&quot;,&quot;&quot;,&quot;&quot;,&quot;&quot;,&quot;&quot;);
addButton(&quot;custom15160&quot;,BTN_TEXT|BTN_IMG,&quot;Print&quot;,&quot;&quot;,&quot;printTopic();&quot;,&quot;&quot;,&quot;&quot;,0,0,&quot;print-unselected.png&quot;,&quot;print-selected.png&quot;,&quot;&quot;,&quot;print-selected.png&quot;,&quot;&quot;,&quot;&quot;);

    addButton(&quot;blankblock&quot;);
    writeStyle(false);
    ReSortToolbarButtons();
}
else
    document.location.reload();
//-->
</script>
</body>

从 script-src 中删除“unsafe-inline”并添加“nonce-b1967a39a02f45edbac95cbb4651bd12”后，我收到此错误。在这个问题上纠结了好久。需要一些指导。提前致谢。

Answer 1

Le message d'erreur indique que vous disposez d'un gestionnaire d'événements en ligne, ce qui signifie que vous avez un attribut onclick, onblur, onchange, etc. Le message d'erreur peut contenir des liens vers le code réel.

Pour autoriser les gestionnaires d'événements en ligne, vous devez en utiliser un

• « hachages dangereux » et hachages de code
• 'en ligne dangereux'

Cependant, si vous parvenez à réécrire le code, votre meilleure option est d'utiliser des écouteurs d'événements.

La propriété n'est pas nonceable, donc votre méthode nonce ne fonctionnera pas avec ce code.