3-10 CSP

Content-Security-Policy：内容安全策略

作用

限制方式

资源类型

内容安全策略文档：https://developer.mozilla.org/zh-CN/docs/Web/Security/CSP

总结

'Content-Security-Policy':'default-src http: https:'  //只加载外链资源
'Content-Security-Policy':'default-src \'self\'' //只加载同域下的外链资源(包括图片等所有资源)
'Content-Security-Policy':'script-src \'self\'' //只加载同域下的script资源
'Content-Security-Policy':'default-src \'self\' https://cdn.bootcss.com'  //只加载同域或指定域名下的外链资源
'Content-Security-Policy':'default-src \'self\'; form-action \'self\''   //只加载同域下的外链资源,form表单只能提交到本地
'Content-Security-Policy':'acript-src \'self\'; form-action \'self\'; report-uri /report' //将不符合条件的资源请求提交报告给服务器/report地址下（资源请求被block掉）
'Content-Security-Policy-Report-Only':'acript-src \'self\'; form-action \'self\'; report-uri /report' //将不符合条件的资源提交报告给服务器/report地址下（资源请求不被block掉）

资源加载被block掉

内链script和非本域下外链的script被block掉

report内容

内容安全策略也可写在html的meta标签里：

report-uri不可写在meta标签里

demo

//html


  3-10 CSP
  
  


  this is content
  
    
  
  







//server.js
const http=require('http');
const fs=require('fs')
const zlib=require('zlib')

http.createServer(function(request,response){
    const html=fs.readFileSync('test.html')
    if (request.url==='/') {
      response.writeHead(200,{
        'Content-Type':'text/html',
        // 'Content-Security-Policy':'default-src http: https:'
        // 'Content-Security-Policy':'default-src \'self\''
        // 'Content-Security-Policy':'default-src \'self\' https://cdn.bootcss.com'
        // 'Content-Security-Policy':'default-src \'self\'; form-action \'self\''
        // 'Content-Security-Policy':'acript-src \'self\'; form-action \'self\';'
        // 'Content-Security-Policy':'acript-src \'self\'; form-action \'self\'; report-uri /report'
        'Content-Security-Policy-Report-Only':'acript-src \'self\'; form-action \'self\'; report-uri /report'
      })
      response.end(html) 
    }else{
      response.writeHead(200,{
        'Content-Type':'application/javascript'
      })
      response.end('console.log("loaded script")') 
    };
}).listen(8888)
console.log('server listening on 8888')

3-10 CSP

总结

demo

你可能感兴趣的:(3-10 CSP)