Content Security Policy
https://content-security-policy.com/
The new
Content-Security-PolicyHTTP response header helps you reduce XSS risks on modern browsers by declaring what dynamic resources are allowed to load via a HTTP Header.
現代瀏覽器提供的防止XSS攻擊的手段。服務器設置此響應頭,規定本網站中的網頁內容, 執行的內容訪問的安全策略。
Directive(指令)
The
Content-Security-Policyheader value is made up of one or more directives (defined below), multiple directives are separated with a semicolon;This documentation is provided based on the Content Security Policy 1.0 W3C Candidate Recommendation
此響應頭部值,由一個或者更多的指令構成, 如果是多個指令, 則指令之間以分好隔開。 符合 W3C候選標准。
default-src 'self' cdn.example.com The default-src is the default policy for loading content such as JavaScript, Images, CSS, Font's, AJAX requests, Frames, HTML5 Media. See the Source List Reference for possible values.
規定默認源訪問控制策略, 如果是self, 則表示可以引用自己網站的資源, 還可添加指定的其它網站域名。
script-src 'self' js.example.com Defines valid sources of JavaScript.
腳本源訪問控制。
<script type="text/javascript" src="xxx"/>
style-src 'self' css.example.com Defines valid sources of stylesheets.
樣式資源訪問控制。
<link href="//sta.36krcnd.com/36krx2016-front/static/common-ab805c33f6f206dcc85e.css" rel="stylesheet">
img-src 'self' img.example.com Defines valid sources of images.
圖片資源訪問控制。
<img src="">
connect-src 'self' Applies to XMLHttpRequest (AJAX), WebSocket or EventSource. If not allowed the browser emulates a 400 HTTP status code.
ajax websocket eventsource 訪問源控制。
font-src font.example.com Defines valid sources of fonts.
字體資源訪問控制。
object-src 'self' Defines valid sources of plugins, eg <object>, <embed> or <applet>.
嵌入式對象資源訪問控制。
media-src media.example.com Defines valid sources of audio and video, eg HTML5 <audio>, <video> elements.
媒體源訪問控制。
frame-src 'self' Defines valid sources for loading frames. child-src is preferred over this deprecated directive.
框架源訪問控制。
child-src 'self' Defines valid sources for web workers and nested browsing contexts loaded using elements such as <frame> and <iframe>
代替frame-src, 確定頁面中框架源訪問控制。
form-action 'self' Defines valid sources that can be used as a HTML <form> action.
允許表單提交的目標定義。
frame-ancestors 'none' Defines valid sources for embedding the resource using <frame> <iframe> <object> <embed> <applet>. Setting this directive to 'none' should be roughly equivalent to X-Frame-Options: DENY
是否允許本頁面被其它頁面嵌入的控制。
Source List(源頭內容列表)
All of the directives that end with
-srcsupport similar values known as a source list. Multiple source list values can be space separated with the exception of'none'which should be the only value..
以src結尾的指令支持類似的值, 這些值列舉如下。 多源頭列表值,使用空格分開, 如果只有一個值“none”,則其實唯一的值,不能去其它值並存。
Source Value Example Description
* img-src * Wildcard, allows any URL except data: blob: filesystem: schemes.
允許任何URL,但是不允許 data blob filesystem 方案。
'none' object-src 'none' Prevents loading resources from any source.
不允許從任何源頭下載資源。
'self' script-src 'self' Allows loading resources from the same origin (same scheme, host and port).
遵守同源策略。
data: img-src 'self' data: Allows loading resources via the data scheme (eg Base64 encoded images).
允許以data方案加載資源。
domain.example.com img-src domain.example.com Allows loading resources from the specified domain name.
允許從指定域名下載資源。
*.example.com img-src *.example.com Allows loading resources from any subdomain under example.com.
允許加載任何子域名和資源。
https://cdn.com img-src https://cdn.com Allows loading resources only over HTTPS matching the given domain.
允許以https方式加載指定域名的資源。
https: img-src https: Allows loading resources only over HTTPS on any domain.
只允許以https方式加載。
'unsafe-inline' script-src 'unsafe-inline' Allows use of inline source elements such as style attribute, onclick, or script tag bodies (depends on the context of the source it is applied to)
允許使用行內源元素,這里將這些元素定義為 unsafe。
'unsafe-eval' script-src 'unsafe-eval' Allows unsafe dynamic code evaluation such as JavaScript eval()
允許使用不安全的eval接口。