内容安全策略是如何工作的?

内容来源于 Stack Overflow,并遵循CC BY-SA 3.0许可协议进行翻译与使用

  • 回答 (2)
  • 关注 (0)
  • 查看 (11)

究竟'self'意味着什么?

提问于
用户回答回答于

只会展示content属性,因此一个示例显示content="default-src 'self'"意思是:

<meta http-equiv="Content-Security-Policy" content="default-src 'self'">

可以简单地在指令后将源作为空格分隔列表列出:

content="default-src 'self' https://example.com/js/"

这些源是有效的:

https://example.com/js/file.js
https://example.com/js/subdir/anotherfile.js

然而,这些规定将无效:

http://example.com/js/file.js
^^^^ wrong protocol

https://example.com/file.js
                   ^^ above the specified path

用户回答回答于

APACHE 2 MOD_标头

还可以启用Apache 2 mod。_在Fedora上,默认情况下已经启用了Header,如果使用Ubuntu/Debian,则如下所示:

# First enable headers module for Apache2, 
# then restart the Apache2 service   
a2enmod headers
apache2 -k graceful

在Ubuntu/Debian上,可以在文件中配置头部/etc/apache2/conf-enabled/security.conf

#
# Setting this header will prevent MSIE from interpreting files as something
# else than declared by the content type in the HTTP headers.
# Requires mod_headers to be enabled.
# 
#Header set X-Content-Type-Options: "nosniff"

#
# Setting this header will prevent other sites from embedding pages from this
# site as frames. This defends against clickjacking attacks.
# Requires mod_headers to be enabled.
#
Header always set X-Frame-Options: "sameorigin"
Header always set X-Content-Type-Options nosniff
Header always set X-XSS-Protection "1; mode=block"
Header always set X-Permitted-Cross-Domain-Policies "master-only"
Header always set Cache-Control "no-cache, no-store, must-revalidate"
Header always set Pragma "no-cache"
Header always set Expires "-1"
Header always set Content-Security-Policy: "default-src 'none';"
Header always set Content-Security-Policy: "script-src 'self' www.google-analytics.com adserver.example.com www.example.com;"
Header always set Content-Security-Policy: "style-src 'self' www.example.com;"

扫码关注云+社区