Content-Security-Policy:內(nèi)容安全策略
作用
限制方式
資源類型
內(nèi)容安全策略文檔:https://developer.mozilla.org/zh-CN/docs/Web/Security/CSP
總結(jié)
'Content-Security-Policy':'default-src http: https:' //只加載外鏈資源
'Content-Security-Policy':'default-src \'self\'' //只加載同域下的外鏈資源(包括圖片等所有資源)
'Content-Security-Policy':'script-src \'self\'' //只加載同域下的script資源
'Content-Security-Policy':'default-src \'self\' https://cdn.bootcss.com' //只加載同域或指定域名下的外鏈資源
'Content-Security-Policy':'default-src \'self\'; form-action \'self\'' //只加載同域下的外鏈資源,form表單只能提交到本地
'Content-Security-Policy':'acript-src \'self\'; form-action \'self\'; report-uri /report' //將不符合條件的資源請求提交報告給服務器/report地址下(資源請求被block掉)
'Content-Security-Policy-Report-Only':'acript-src \'self\'; form-action \'self\'; report-uri /report' //將不符合條件的資源提交報告給服務器/report地址下(資源請求不被block掉)
資源加載被block掉
內(nèi)鏈script和非本域下外鏈的script被block掉
report內(nèi)容
內(nèi)容安全策略也可寫在html的meta標簽里:
<meta http-equiv="Content-Security-Policy" content="connect-src 'self'; form-action 'self'">
report-uri不可寫在meta標簽里
demo
//html
<html>
<head>
<title>3-10 CSP</title>
<meta http-equiv="Content-Type" content="text/html;charset=utf-8">
<meta http-equiv="Content-Security-Policy" content="connect-src 'self'; form-action 'self';">
</head>
<body>
<div>this is content</div>
<form action='https://www.baidu.com/' id="form" method="POST" enctype='multipart/form-data'>
<input type="submit">
</form>
<img src="http://www.baidu.com/img/superlogo_c4d7df0a003d3db9b65e9ef0fe6da1ec.png?qua=high&where=super">
</body>
<script>
console.log("this is a inline script")
fetch('http://baidu.com')
</script>
<script src="/test.js"></script>
<script src="https://cdn.bootcss.com/jquery/3.3.1/core.js"></script>
</html>
//server.js
const http=require('http');
const fs=require('fs')
const zlib=require('zlib')
http.createServer(function(request,response){
const html=fs.readFileSync('test.html')
if (request.url==='/') {
response.writeHead(200,{
'Content-Type':'text/html',
// 'Content-Security-Policy':'default-src http: https:'
// 'Content-Security-Policy':'default-src \'self\''
// 'Content-Security-Policy':'default-src \'self\' https://cdn.bootcss.com'
// 'Content-Security-Policy':'default-src \'self\'; form-action \'self\''
// 'Content-Security-Policy':'acript-src \'self\'; form-action \'self\';'
// 'Content-Security-Policy':'acript-src \'self\'; form-action \'self\'; report-uri /report'
'Content-Security-Policy-Report-Only':'acript-src \'self\'; form-action \'self\'; report-uri /report'
})
response.end(html)
}else{
response.writeHead(200,{
'Content-Type':'application/javascript'
})
response.end('console.log("loaded script")')
};
}).listen(8888)
console.log('server listening on 8888')
