CSP 오류를 수정하는 방법은 무엇입니까? "인라인 이벤트 핸들러의 실행이 다음 콘텐츠 보안 정책 지침을 위반하기 때문에 거부되었습니다..."

Question

我在 script-src 中添加随机数值时收到 CSP 错误。 这是我正在设置的 CSP - 内容安全策略：默认 src '无'； script-src 'self' '不安全评估' 'nonce-b1967a39a02f45edbac95cbb4651bd12' '不安全哈希'; frame-src 'self' 'nonce-b1967a39a02f45edbac95cbb4651bd12' '不安全哈希';连接-src'自我'； img-src“自身”数据：； style-src 'self' '不安全内联';对象-src'自我'； font-src'自身'数据：;

我的JS文件内容是-

<html dir=&quot;ltr&quot;>
<head>
<meta http-equiv=&quot;Content-Type&quot; content=&quot;text/html; charset=utf-8&quot; />
<title> WebHelp Navigation Toolbar </title>



<style>
<!--
body {margin:0;}
-->
</style>
<script nonce='b1967a39a02f45edbac95cbb4651bd12'  src=&quot;whver.js&quot; charset=&quot;utf-8&quot;></script>
<script nonce='b1967a39a02f45edbac95cbb4651bd12'  src=&quot;whutils.js&quot; charset=&quot;utf-8&quot;></script>
<script nonce='b1967a39a02f45edbac95cbb4651bd12'  src=&quot;whmsg.js&quot; charset=&quot;utf-8&quot;></script>
<script nonce='b1967a39a02f45edbac95cbb4651bd12'  src=&quot;whproxy.js&quot; charset=&quot;utf-8&quot;></script>
<script nonce='b1967a39a02f45edbac95cbb4651bd12'  src=&quot;whmozemu.js&quot; charset=&quot;utf-8&quot;></script>
<script nonce='b1967a39a02f45edbac95cbb4651bd12'  src=&quot;whtbar.js&quot; charset=&quot;utf-8&quot;></script>

<script nonce='b1967a39a02f45edbac95cbb4651bd12' type=&quot;text/javascript&quot; language=&quot;JavaScript1.2&quot;>
//<![CDATA[
function printTopic() {
var topicPane;
if (top.frames[0].name == &quot;ContentFrame&quot;)
topicPane = top.frames[0].frames[1].frames[1];
else
topicPane = top.frames[1].frames[1];
topicPane.focus();
var msg = new whMessage(WH_MSG_PRINT, 0, 0);
                notify(msg);
}


//]]>
</script>
</head>
<body marginheight=&quot;0&quot;  marginwidth=&quot;0&quot;  bgcolor=&quot;#363f48&quot;    background=&quot;background.png&quot;  scroll=&quot;no&quot;>
<script nonce='b1967a39a02f45edbac95cbb4651bd12' language=&quot;javascript1.2&quot;>
<!--
if (window.gbWhTBar)
{
    setButtonFont(&quot;toc&quot;,&quot;Arial&quot;,&quot;11pt&quot;,&quot;#a7abaf&quot;,&quot;Normal&quot;,&quot;Normal&quot;,&quot;none&quot;);
setButtonFont(&quot;toc&quot;,&quot;Arial&quot;,&quot;11pt&quot;,&quot;White&quot;,&quot;Normal&quot;,&quot;Normal&quot;,&quot;none&quot;, true);
setButtonFont(&quot;idx&quot;,&quot;Arial&quot;,&quot;11pt&quot;,&quot;#a7abaf&quot;,&quot;Normal&quot;,&quot;Normal&quot;,&quot;none&quot;);
setButtonFont(&quot;idx&quot;,&quot;Arial&quot;,&quot;11pt&quot;,&quot;White&quot;,&quot;Normal&quot;,&quot;Normal&quot;,&quot;none&quot;, true);
setButtonFont(&quot;fts&quot;,&quot;Arial&quot;,&quot;11pt&quot;,&quot;#a7abaf&quot;,&quot;Normal&quot;,&quot;Normal&quot;,&quot;none&quot;);
setButtonFont(&quot;fts&quot;,&quot;Arial&quot;,&quot;11pt&quot;,&quot;White&quot;,&quot;Normal&quot;,&quot;Normal&quot;,&quot;none&quot;, true);
setButtonFont(&quot;glo&quot;,&quot;Arial&quot;,&quot;11pt&quot;,&quot;#a7abaf&quot;,&quot;Normal&quot;,&quot;Normal&quot;,&quot;none&quot;);
setButtonFont(&quot;glo&quot;,&quot;Arial&quot;,&quot;11pt&quot;,&quot;White&quot;,&quot;Normal&quot;,&quot;Normal&quot;,&quot;none&quot;, true);
setButtonFont(&quot;searchform&quot;,&quot;Arial&quot;,&quot;11pt&quot;,&quot;#a7abaf&quot;,&quot;Normal&quot;,&quot;Normal&quot;,&quot;none&quot;);
setButtonFont(&quot;searchform&quot;,&quot;&quot;,&quot;&quot;,&quot;&quot;,&quot;&quot;,&quot;&quot;,&quot;&quot;, true);
setButtonFont(&quot;banner&quot;,&quot;&quot;,&quot;&quot;,&quot;&quot;,&quot;&quot;,&quot;&quot;,&quot;&quot;);
setButtonFont(&quot;banner&quot;,&quot;&quot;,&quot;&quot;,&quot;&quot;,&quot;&quot;,&quot;&quot;,&quot;&quot;, true);
setButtonFont(&quot;custom15160&quot;,&quot;Arial&quot;,&quot;11pt&quot;,&quot;#a7abaf&quot;,&quot;Normal&quot;,&quot;Normal&quot;,&quot;none&quot;);
setButtonFont(&quot;custom15160&quot;,&quot;Arial&quot;,&quot;11pt&quot;,&quot;White&quot;,&quot;Normal&quot;,&quot;Normal&quot;,&quot;none&quot;, true);

    gsIToc = &quot;wht_toc_n.gif&quot;;
    gsITocS = &quot;wht_toc_h.gif&quot;;
    gsIIndex = &quot;wht_idx_n.gif&quot;;
    gsIIndexS = &quot;wht_idx_h.gif&quot;;
    gsISearch = &quot;wht_fts_n.gif&quot;;
    gsISearchS = &quot;wht_fts_h.gif&quot;;
    gsIGlossary = &quot;wht_glo_n.gif&quot;;
    gsIGlossaryS = &quot;wht_glo_h.gif&quot;;
    gsIWebSearch = &quot;wht_ws.gif&quot;;
    gsIWebSearchD = &quot;wht_ws_g.gif&quot;;
    gsIBanner = &quot;wht_logo1.gif&quot;;
    gsIGo = &quot;wht_go.gif&quot;;
    setBackgroundcolor(&quot;#363f48&quot;);
    setBackground(&quot;background.png&quot;);
    setAlignment(&quot;left&quot;);
    setGoImage(&quot;search-input-go.png&quot;);
    
    if (!gsBgImage)
    {
    setButtonBgColor(&quot;toc&quot;, gsBgColor);
    setButtonBgColor(&quot;idx&quot;, gsBgColor);
    setButtonBgColor(&quot;fts&quot;, gsBgColor);
    setButtonBgColor(&quot;glo&quot;, gsBgColor);
    setButtonBgColor(&quot;toc&quot;, gsTBSelectedBgColor, true);
    setButtonBgColor(&quot;idx&quot;, gsTBSelectedBgColor, true);
    setButtonBgColor(&quot;fts&quot;, gsTBSelectedBgColor, true);
    setButtonBgColor(&quot;glo&quot;, gsTBSelectedBgColor, true);
    setButtonBgColor(&quot;toc&quot;,&quot;#363f48&quot;);
setButtonBgColor(&quot;idx&quot;,&quot;#363f48&quot;);
setButtonBgColor(&quot;fts&quot;,&quot;#363f48&quot;);
setButtonBgColor(&quot;glo&quot;,&quot;#363f48&quot;);
setButtonBgColor(&quot;searchform&quot;,&quot;&quot;);
setButtonBgColor(&quot;banner&quot;,&quot;&quot;);
setButtonBgColor(&quot;custom15160&quot;,&quot;#363f48&quot;);

    }
    setButtonBgColor(&quot;toc&quot;,&quot;#363f48&quot;, true);
setButtonBgColor(&quot;idx&quot;,&quot;#363f48&quot;, true);
setButtonBgColor(&quot;fts&quot;,&quot;#363f48&quot;, true);
setButtonBgColor(&quot;glo&quot;,&quot;#363f48&quot;, true);
setButtonBgColor(&quot;searchform&quot;,&quot;&quot;, true);
setButtonBgColor(&quot;banner&quot;,&quot;&quot;, true);
setButtonBgColor(&quot;custom15160&quot;,&quot;#363f48&quot;, true);

    addButton(&quot;toc&quot;,BTN_TEXT|BTN_IMG,&quot;Contents&quot;,&quot;&quot;,&quot;&quot;,&quot;&quot;,&quot;&quot;,0,0,&quot;contents-unselected.png&quot;,&quot;contents-selected.png&quot;,&quot;&quot;,&quot;contents-selected.png&quot;,&quot;&quot;,&quot;&quot;);
addButton(&quot;fts&quot;,BTN_TEXT|BTN_IMG,&quot;Search&quot;,&quot;&quot;,&quot;&quot;,&quot;&quot;,&quot;&quot;,0,0,&quot;search-unselected.png&quot;,&quot;search-selected.png&quot;,&quot;&quot;,&quot;search-selected.png&quot;,&quot;&quot;,&quot;&quot;);
addButton(&quot;searchform&quot;,BTN_TEXT,&quot;&quot;,&quot;&quot;,&quot;&quot;,&quot;&quot;,&quot;&quot;,0,0,&quot;&quot;,&quot;&quot;,&quot;&quot;,&quot;&quot;,&quot;&quot;,&quot;&quot;);
addButton(&quot;custom15160&quot;,BTN_TEXT|BTN_IMG,&quot;Print&quot;,&quot;&quot;,&quot;printTopic();&quot;,&quot;&quot;,&quot;&quot;,0,0,&quot;print-unselected.png&quot;,&quot;print-selected.png&quot;,&quot;&quot;,&quot;print-selected.png&quot;,&quot;&quot;,&quot;&quot;);

    addButton(&quot;blankblock&quot;);
    writeStyle(false);
    ReSortToolbarButtons();
}
else
    document.location.reload();
//-->
</script>
</body>

从 script-src 中删除“unsafe-inline”并添加“nonce-b1967a39a02f45edbac95cbb4651bd12”后，我收到此错误。在这个问题上纠结了好久。需要一些指导。提前致谢。

Answer 1

오류 메시지는 인라인 이벤트 핸들러가 있음을 나타냅니다. 즉, onclick, onblur, onchange 등의 속성이 어딘가에 있음을 의미합니다. 오류 메시지에는 실제 코드에 대한 링크가 포함될 수 있습니다.

인라인 이벤트 핸들러를 허용하려면 다음 중 하나를 사용해야 합니다.

• "안전하지 않은 해시" 및 코드 해시
• '안전하지 않은 인라인'

그러나 코드를 다시 작성할 수 있다면 가장 좋은 방법은 이벤트 리스너를 사용하는 것입니다.

이 속성은 nonceable이 아니므로 nonce 메서드는 이 코드에서 작동하지 않습니다.