在瀏覽網頁的過程當中,尤爲是移動端的網頁,常常看到有不少無關的廣告,其實大部分廣告都是所在的網絡劫持了網站響應的內容,並在其中植入了廣告代碼。爲了防止這種狀況發生,咱們可使用CSP來快速的阻止這種廣告植入。並且能夠比較好的防護dom xss。css
CSP使用方式有兩種java
1. 使用meta標籤, 直接在頁面添加meta標籤ios
<meta http-equiv="Content-Security-Policy" content="default-src 'self' *.xx.com *.xx.cn 'unsafe-inline' 'unsafe-eval';">web
這種方式最簡單,可是也有些缺陷,每一個頁面都須要添加,並且不能對限制的域名進行上報。chrome
2. 在服務端配置csp瀏覽器
Apache :網絡
Add the following to your httpd.conf in your VirtualHost or in an .htaccess file:app
Header set Content-Security-Policy "default-src 'self';"dom
Nginx :xss
In your server {} block add:
add_header Content-Security-Policy "default-src 'self';";
在服務端配置全部的頁面均可以不須要改了,並且還支持上報。
若是meta、響應頭裏都指定了Content-Security-Policy,則會優先使用響應頭裏的Content-Security-Policy
CSP內容匹配的規則:規則名稱 規則 規則;規則名稱 規則 ...
好比:
default-src 'none'; script-src 'self'; connect-src 'self'; img-src 'self'; style-src 'self';
default-src 'self' *.xx.com *.xx.cn aa.com 'unsafe-inline' 'unsafe-eval'
*.xx.com 支持多級域名, 能夠不填寫http協議。
default-src 全部資源的默認策略
script-src JS的加載策略,會覆蓋default-src中的策略,好比寫了default-src xx.com;script-src x.com xx.com; 必須同時加上xx.com,由於script-src會看成一個總體覆蓋整個默認的default-src規則。
'unsafe-inline' 容許執行內聯的JS代碼,默認爲不容許,若是有內聯的代碼必須加上這條
'unsafe-eval' 容許執行eval等
對自定義的協議 好比 jsxxx://aaa.com 能夠寫成 jsxxx:
https協議下自動把http請求轉爲https可使用 upgrade-insecure-requests
CSP瀏覽器支持
目前CSP LEVER1 已經被大部分瀏覽器所支持
csp lever1 涉及到的規則有:
default-src、script-src、style-src、img-src、connect-src、font-src、object-src、media-src、
sandbox、report-uri
CSP LEVER2 加了一些新的規則:
child-src、form-action、frame-ancestors、plugin-types 。對於如今的移動端開發來講,lever2已經徹底可使用了。
詳細規則內容:(參考:https://content-security-policy.com/)
Directive | Example Value | Description |
---|---|---|
default-src |
'self' cdn.example.com |
The default-src is the default policy for loading content such as JavaScript, Images, CSS, Font's, AJAX requests, Frames, HTML5 Media. See the Source List Reference for possible values. CSP Level 1 25+ 23+ 7+ 12+ |
script-src |
'self' js.example.com |
Defines valid sources of JavaScript. CSP Level 1 25+ 23+ 7+ 12+ |
style-src |
'self' css.example.com |
Defines valid sources of stylesheets. CSP Level 1 25+ 23+ 7+ 12+ |
img-src |
'self' img.example.com |
Defines valid sources of images. CSP Level 1 25+ 23+ 7+ 12+ |
connect-src |
'self' |
Applies to XMLHttpRequest (AJAX), WebSocket or EventSource . If not allowed the browser emulates a 400 HTTP status code. CSP Level 1 25+ 23+ 7+ 12+ |
font-src |
font.example.com |
Defines valid sources of fonts. CSP Level 1 25+ 23+ 7+ 12+ |
object-src |
'self' |
Defines valid sources of plugins, eg <object> , <embed> or <applet> . CSP Level 1 25+ 23+ 7+ 12+ |
media-src |
media.example.com |
Defines valid sources of audio and video, eg HTML5 <audio> , <video> elements. CSP Level 1 25+ 23+ 7+ 12+ |
frame-src |
'self' |
Defines valid sources for loading frames. child-src is preferred over this deprecated directive. Deprecated |
sandbox |
allow-forms allow-scripts |
Enables a sandbox for the requested resource similar to the iframe sandbox attribute. The sandbox applies a same origin policy, prevents popups, plugins and script execution is blocked. You can keep the sandbox value empty to keep all restrictions in place, or add values: allow-forms allow-same-origin allow-scripts allow-popups , allow-modals , allow-orientation-lock , allow-pointer-lock , allow-presentation , allow-popups-to-escape-sandbox , and allow-top-navigation CSP Level 1 25+ 50+ 7+ 12+ |
report-uri |
/some-report-uri |
Instructs the browser to POST a reports of policy failures to this URI. You can also append -Report-Only to the HTTP header name to instruct the browser to only send reports (does not block anything). CSP Level 1 25+ 23+ 7+ 12+ |
child-src |
'self' |
Defines valid sources for web wokers and nested browsing contexts loaded using elements such as <frame> and <iframe> CSP Level 2 40+ 45+ |
form-action |
'self' |
Defines valid sources that can be used as a HTML <form> action. CSP Level 2 40+ 36+ |
frame-ancestors |
'none' |
Defines valid sources for embedding the resource using <frame> <iframe> <object> <embed> <applet> . Setting this directive to 'none' should be roughly equivalent to X-Frame-Options: DENY CSP Level 2 39+ 33+ |
plugin-types |
application/pdf |
Defines valid MIME types for plugins invoked via <object> and <embed> . To load an <applet> you must specify application/x-java-applet . CSP Level 2 40+ |
參考文檔:
https://content-security-policy.com/
http://baike.baidu.com/link?url=d0CILP0CXyvCuc_pRv7-3gRNXjEPKwiDWEReXi4uzEr8IPkktX3VLfnUnRyc70cLn9zSyviOfmpS8aAWUd3xrK