CSP: style-src
Baseline
Widely available
This feature is well established and works across many devices and browser versions. Itâs been available across browsers since 2016å¹´8æ.
HTTP ã® Content-Security-Policy (CSP) ã«ããã style-src ãã£ã¬ã¯ãã£ãã¯ãã¹ã¿ã¤ã«ã·ã¼ãã®æå¹ãªã½ã¼ã¹ãæå®ãã¾ãã
| CSP ãã¼ã¸ã§ã³ | 1 |
|---|---|
| ãã£ã¬ã¯ãã£ãç¨®å¥ | ãã§ãããã£ã¬ã¯ãã£ã |
default-src ã«ããä»£æ¿ |
ããããã®ãã£ã¬ã¯ãã£ãããªãå ´åãã¦ã¼ã¶ã¼ã¨ã¼ã¸ã§ã³ã㯠default-src ãã£ã¬ã¯ãã£ããæ¢ãã¾ãã
|
æ§æ
Content-Security-Policy: style-src 'none';
Content-Security-Policy: style-src <source-expression-list>;
ãã®ãã£ã¬ã¯ãã£ãã¯ã次ã®ããããã®å¤ãæå®ãããã¨ãã§ãã¾ãã
'none'-
ãã®ç¨®é¡ã®ãªã½ã¼ã¹ã¯èªã¿è¾¼ã¾ãã¾ãããåä¸å¼ç¨ç¬¦ã¯å¿ é ã§ãã
<source-expression-list>-
ã½ã¼ã¹è¡¨ç¾ã®å¤ã空ç½ã§åºåã£ããªã¹ãã§ãããã®ç¨®é¡ã®ãªã½ã¼ã¹ã¯ãæå®ãããã½ã¼ã¹è¡¨ç¾ã®ããããã¨ä¸è´ããå ´åã«èªã¿è¾¼ã¾ãã¾ãããã®ãã£ã¬ã¯ãã£ãã§ã¯ã以ä¸ã®ã½ã¼ã¹è¡¨ç¾ã®å¤ãé©ç¨ã§ãã¾ãã
<host-source><scheme-source>'self''unsafe-inline''unsafe-hashes''nonce-<nonce_value>''<hash_algorithm>-<hash_value>''report-sample'
ãªããä»æ§æ¸ã§ã¯æå¹ãªã½ã¼ã¹è¡¨ç¾å¤ã¨ãã¦
'unsafe-eval'ãè¨è¼ããã¦ãã¾ããããã¯ããã¾ãã¾ãªã¤ã³ã¿ã¼ãã§ã¤ã¹ã«ãããinsertRule()ã¡ã½ãããcssTextã»ãã¿ã¼ãä¾ãã°CSSStyleSheet.insertRule()ãCSSStyleDeclaration.cssTextãªã©ã CSS æååã解æããã³æ¿å ¥ãã CSSOM ã®ã¡ã½ããã許å¯ããããã§ããããããç¾å¨ããããã®ã¡ã½ããããããã¯ãããã©ã¦ã¶ã¼ã¯ãªããããunsafe-evalãé©ç¨ããå¿ è¦ã¯ããã¾ããã
ä¾
éåããå ´å
ãã® CSP ãããã¼ãããå ´åã
Content-Security-Policy: style-src https://example.com/
以ä¸ã®ã¹ã¿ã¤ã«ã·ã¼ãã¯ãããã¯ãããèªã¿è¾¼ã¾ãã¾ããã
<link href="/proxy/not-example.com/styles/main.css" rel="stylesheet" />
<style>
#inline-style {
background: red;
}
</style>
<style>
@import url("/proxy/not-example.com/styles/print.css") print;
</style>
Link ãããã¼ã§èªã¿è¾¼ã¾ãããã®ãåæ§ã§ãã
Link: <https://not-example.com/styles/stylesheet.css>;rel=stylesheet
ã¤ã³ã©ã¤ã³ã® style å±æ§ããããã¯ããã¾ãã
<div style="display:none">Foo</div>
JavaScript ã§ç´æ¥ style å±æ§ãè¨å®ãããã cssText ãè¨å®ãããããã¹ã¿ã¤ã«ãåæ§ã§ãã
document.querySelector("div").setAttribute("style", "display:none;");
document.querySelector("div").style.cssText = "display:none;";
ããããè¦ç´ ã® style ããããã£ã«ç´æ¥è¨å®ãããã¹ã¿ã¤ã«ããããã£ã¯ãããã¯ãããã JavaScript ããå®å
¨ã«ã¹ã¿ã¤ã«ãæä½ãããã¨ãã§ãã¾ãã
document.querySelector("div").style.display = "none";
ãã®æã®æä½ã¯ã CSP ã® script-src ãã£ã¬ã¯ãã£ã㧠JavaScript ãç¡å¹ã«ãããã¨ã§é²ããã¨ãã§ãã¾ãã
å®å ¨ã§ã¯ãªãã¤ã³ã©ã¤ã³ã¹ã¿ã¤ã«
ã¡ã¢: ã¤ã³ã©ã¤ã³ã¹ã¿ã¤ã«ã¨ã¤ã³ã©ã¤ã³ã¹ã¯ãªãããç¦æ¢ãããã¨ã¯ã CSP ãæä¾ããæ大ã®ã»ãã¥ãªãã£ä¸ã®å©ç¹ã®ä¸ã¤ã§ããããããã©ããã¦ã使ç¨ããªããã°ãªããªãå ´åã¯ããããã許å¯ããä»çµã¿ãããã¤ãããã¾ãã
ã¤ã³ã©ã¤ã³ã¹ã¿ã¤ã«ã許å¯ããã«ã¯ã'unsafe-inline'ããã³ã¹hã½ã¼ã¹ãããã·ã¥ã½ã¼ã¹ã®ãããããä¸è´ããã¤ã³ã©ã¤ã³ãããã¯ã«æå®ã§ãã¾ãã次ã®ã³ã³ãã³ãã»ãã¥ãªãã£ããªã·ã¼ã«å¾ããã¨ã§ã <style> è¦ç´ ããããããè¦ç´ ã® style å±æ§ã®ãããªã¤ã³ã©ã¤ã³ã¹ã¿ã¤ã«ã許å¯ããã¾ãã
Content-Security-Policy: style-src 'unsafe-inline';
ä¸è¨ã®ã³ã³ãã³ãã»ãã¥ãªãã£ããªã·ã¼ã¯ <style> è¦ç´ ãããããè¦ç´ ã® style å±æ§ãªã©ã®ã¤ã³ã©ã¤ã³ã¹ã¿ã¤ã«ã許å¯ãã¾ãã
<style>
#inline-style {
background: red;
}
</style>
<div style="display:none">Foo</div>
ç¹å®ã®ã¤ã³ã©ã¤ã³ã¹ã¿ã¤ã«ãããã¯ã®ã¿ã許å¯ããã«ã¯ã nonce-source ã使ç¨ãããã¨ãã§ãã¾ãã ï¼æå·çã«å®å ¨ãªã©ã³ãã ãã¼ã¯ã³ã¸ã§ãã¬ã¼ã¿ã使ç¨ãã¦ï¼ã©ã³ãã 㪠nonce å¤ãçæãããããããªã·ã¼ã«å«ããå¿ è¦ãããã¾ãã ãã® nonce å¤ã¯ã HTTP ãªã¯ã¨ã¹ããã¨ã«ä¸æã§ããå¿ è¦ããããããåçã«çæããå¿ è¦ããããã¨ã«æ³¨æãããã¨ãéè¦ã§ãã
Content-Security-Policy: style-src 'nonce-2726c7f26c'
åããã³ã¹ã <style> è¦ç´ ã«ãè¨å®ããå¿
è¦ãããã¾ãã
<style nonce="2726c7f26c">
#inline-style {
background: red;
}
</style>
ä»ã«ããã¤ã³ã©ã¤ã³ã¹ã¿ã¤ã«ããããã·ã¥ãçæãããã¨ãã§ãã¾ãã CSP ã§ã¯ sha256ãsha384ãsha512 ã«å¯¾å¿ãã¦ãã¾ããããã·ã¥ã®ãã¤ããªã¼å½¢å¼ã¯ base64 ã§ã¨ã³ã³ã¼ãããã¦ããªããã°ãªãã¾ãããæååã®ããã·ã¥ã¯ openssl ããã°ã©ã ã使ã£ã¦ã³ãã³ãã©ã¤ã³ããåå¾ãããã¨ãã§ãã¾ãã
echo -n "#inline-style { background: red; }" | openssl dgst -sha256 -binary | openssl enc -base64
ããã·ã¥ã½ã¼ã¹ã使ç¨ããã¨ãç¹å®ã®ã¤ã³ã©ã¤ã³ã¹ã¿ã¤ã«ãããã¯ã®ã¿ã許å¯ãããã¨ãã§ãã¾ãã
Content-Security-Policy: style-src 'sha256-ozBpjL6dxO8fsS4u6fwG1dFDACYvpNxYeBA6tzR+FY8='
ããã·ã¥ãçæããã¨ãã¯ã <style> ã¿ã°ãå«ããªãããã«ãã大æåå°æåã¨ããã¯ã¤ãã¹ãã¼ã¹ãç¹ã«åå¾ã®ãã¯ã¤ãã¹ãã¼ã¹ã«æ³¨æãã¦ãã ããã
<style>
#inline-style {
background: red;
}
</style>
ä»æ§æ¸
| Specification |
|---|
| Content Security Policy Level 3 # directive-style-src |