什么是Content Security Policy(CSP)
Content Security Policy是一种网页安全策略,现代浏览器使用它来增强网页的安全性。可以通过Content Security Policy来限制哪些资源(如JavaScript、CSS、图像等)可以被加载,从哪些url加载。
CSP 本质上是白名单机制,开发者明确告诉浏览器哪些外部资源可以加载和执行,可以从哪些url加载资源。
CSP最初被设计用来减少跨站点脚本攻击(XSS),该规范的后续版本还可以防止其他形式的攻击,如点击劫持。
启用CSP的两种方法
启用CSP的方法有两种,第一种是通过设置一个HTTP响应头(HTTP response header) “Content-Security-Policy”,第二种是通过HTML标签设置,例如:
除了Content-Security-Policy外,还有一个Content-Security-Policy-Report-Only字段,表示不执行限制选项,只是记录违反限制的行为,必须与report-uri值选项配合使用,例如:
CSP指令介绍
Content-Security-Policy值由一个或多个指令组成,多个指令用分号分隔。
csp资源加载项限制指令如下:
上述指令对应的值如下:
Source Value | Example | Description |
* | img-src * | Wildcard, allows any URL except data: blob: filesystem: schemes. |
'none' | object-src 'none' | Prevents loading resources from any source. |
'self' | script-src 'self' | Allows loading resources from the same origin (same scheme, host and port). |
data: | img-src 'self' data: | Allows loading resources via the data scheme (eg Base64 encoded images). |
domain.example.com | img-src domain.example.com | Allows loading resources from the specified domain name. |
*.example.com | img-src *.example.com | Allows loading resources from any subdomain under example.com. |
img-src https://cdn.com/ | Allows loading resources only over HTTPS matching the given domain. | |
https: | img-src https: | Allows loading resources only over HTTPS on any domain. |
'unsafe-inline' | script-src 'unsafe-inline' | Allows use of inline source elements such as style attribute, onclick, or script tag bodies (depends on the context of the source it is applied to) and javascript: URIs |
'unsafe-eval' | script-src 'unsafe-eval' | Allows unsafe dynamic code evaluation such as JavaScript eval() |
'sha256-' | script-src 'sha256-xyz...' | Allows an inline script or CSS to execute if its hash matches the specified hash in the header. Currently supports SHA256, SHA384 or SHA512. CSP Level 2 |
'nonce-' | script-src 'nonce-rAnd0m' | Allows an inline script or CSS to execute if the script (eg: |