Content Security Policy

https://content-security-policy.com/

The new Content-Security-Policy HTTP response header helps you reduce XSS risks on modern browsers by declaring what dynamic resources are allowed to load via a HTTP Header.

现代浏览器提供的防止XSS攻击的手段。服务器设置此响应头，规定本网站中的网页内容， 执行的内容访问的安全策略。

Directive（指令）

The Content-Security-Policy header value is made up of one or more directives (defined below), multiple directives are separated with a semicolon ;

This documentation is provided based on the Content Security Policy 1.0 W3C Candidate Recommendation

此响应头部值，由一个或者更多的指令构成， 如果是多个指令， 则指令之间以分好隔开。  符合 W3C候选标准。

default-src     ‘self‘ cdn.example.com   The default-src is the default policy for loading content such as JavaScript, Images, CSS, Font‘s, AJAX requests, Frames, HTML5 Media. See the Source List Reference for possible values.

规定默认源访问控制策略， 如果是self， 则表示可以引用自己网站的资源，  还可添加指定的其它网站域名。

script-src  ‘self‘ js.example.com   Defines valid sources of JavaScript.

脚本源访问控制。

<script type="text/javascript" src="xxx"/>

style-src   ‘self‘ css.example.com  Defines valid sources of stylesheets.

样式资源访问控制。

<lnk src="xxx">

img-src     ‘self‘ img.example.com  Defines valid sources of images.

图片资源访问控制。

<img src="">

connect-src     ‘self‘  Applies to XMLHttpRequest (AJAX), WebSocket or EventSource. If not allowed the browser emulates a 400 HTTP status code.

ajax websocket eventsource 访问源控制。

font-src    font.example.com    Defines valid sources of fonts.

字体资源访问控制。

object-src  ‘self‘  Defines valid sources of plugins, eg <object>, <embed> or <applet>.

嵌入式对象资源访问控制。

media-src   media.example.com   Defines valid sources of audio and video, eg HTML5 <audio>, <video> elements.

媒体源访问控制。

frame-src   ‘self‘  Defines valid sources for loading frames. child-src is preferred over this deprecated directive.

框架源访问控制。

child-src   ‘self‘  Defines valid sources for web workers and nested browsing contexts loaded using elements such as <frame> and <iframe>

代替frame-src, 确定页面中框架源访问控制。

form-action     ‘self‘  Defines valid sources that can be used as a HTML <form> action.

允许表单提交的目标定义。

frame-ancestors     ‘none‘  Defines valid sources for embedding the resource using <frame> <iframe> <object> <embed> <applet>. Setting this directive to ‘none‘ should be roughly equivalent to X-Frame-Options: DENY

是否允许本页面被其它页面嵌入的控制。

Source List（源头内容列表）

All of the directives that end with -src support similar values known as a source list. Multiple source list values can be space separated with the exception of ‘none‘ which should be the only value..

以src结尾的指令支持类似的值， 这些值列举如下。 多源头列表值，使用空格分开， 如果只有一个值“none”，则其实唯一的值，不能去其它值并存。

Source Value    Example     Description
*   img-src *   Wildcard, allows any URL except data: blob: filesystem: schemes.

允许任何URL，但是不允许 data blob filesystem 方案。

‘none‘  object-src ‘none‘   Prevents loading resources from any source.

不允许从任何源头下载资源。

‘self‘  script-src ‘self‘   Allows loading resources from the same origin (same scheme, host and port).

遵守同源策略。

data:   img-src ‘self‘ data:    Allows loading resources via the data scheme (eg Base64 encoded images).

允许以data方案加载资源。

domain.example.com  img-src domain.example.com  Allows loading resources from the specified domain name.

允许从指定域名下载资源。

*.example.com   img-src *.example.com   Allows loading resources from any subdomain under example.com.

允许加载任何子域名和资源。

https://cdn.com     img-src https://cdn.com     Allows loading resources only over HTTPS matching the given domain.

允许以https方式加载指定域名的资源。

https:  img-src https:  Allows loading resources only over HTTPS on any domain.

只允许以https方式加载。

‘unsafe-inline‘     script-src ‘unsafe-inline‘  Allows use of inline source elements such as style attribute, onclick, or script tag bodies (depends on the context of the source it is applied to)

允许使用行内源元素，这里将这些元素定义为 unsafe。

‘unsafe-eval‘   script-src ‘unsafe-eval‘    Allows unsafe dynamic code evaluation such as JavaScript eval()

允许使用不安全的eval接口。