CSP內容安全策略

在瀏覽網頁的過程當中,尤爲是移動端的網頁,常常看到有不少無關的廣告,其實大部分廣告都是所在的網絡劫持了網站響應的內容,並在其中植入了廣告代碼。爲了防止這種狀況發生,咱們可使用CSP來快速的阻止這種廣告植入。並且能夠比較好的防護dom xss。css

CSP使用方式有兩種java

1. 使用meta標籤, 直接在頁面添加meta標籤ios

<meta http-equiv="Content-Security-Policy" content="default-src 'self' *.xx.com *.xx.cn 'unsafe-inline' 'unsafe-eval';">web

這種方式最簡單,可是也有些缺陷,每一個頁面都須要添加,並且不能對限制的域名進行上報。chrome

2. 在服務端配置csp瀏覽器

Apache :網絡

Add the following to your httpd.conf in your VirtualHost or in an .htaccess file:app

Header set Content-Security-Policy "default-src 'self';"dom

Nginx :xss

In your server {} block add:

add_header Content-Security-Policy "default-src 'self';";

在服務端配置全部的頁面均可以不須要改了,並且還支持上報。

若是meta、響應頭裏都指定了Content-Security-Policy,則會優先使用響應頭裏的Content-Security-Policy

CSP內容匹配的規則:規則名稱 規則 規則;規則名稱 規則 ...

好比:

default-src 'none'; script-src 'self'; connect-src 'self'; img-src 'self'; style-src 'self';

default-src 'self' *.xx.com *.xx.cn aa.com 'unsafe-inline' 'unsafe-eval'

*.xx.com 支持多級域名, 能夠不填寫http協議。

default-src   全部資源的默認策略
script-src     JS的加載策略,會覆蓋default-src中的策略,好比寫了default-src xx.com;script-src x.com xx.com;   必須同時加上xx.com,由於script-src會看成一個總體覆蓋整個默認的default-src規則。
'unsafe-inline'  容許執行內聯的JS代碼,默認爲不容許,若是有內聯的代碼必須加上這條
'unsafe-eval'    容許執行eval等 

對自定義的協議 好比 jsxxx://aaa.com   能夠寫成  jsxxx:

https協議下自動把http請求轉爲https可使用  upgrade-insecure-requests

<meta http-equiv="Content-Security-Policy" content="default-src 'self' *.xx.com *.xx.cn 'unsafe-inline' 'unsafe-eval' upgrade-insecure-requests;"> ios下支持有限

CSP瀏覽器支持

目前CSP LEVER1 已經被大部分瀏覽器所支持

csp lever1 涉及到的規則有:

default-src、script-src、style-src、img-src、connect-src、font-src、object-src、media-src、

sandbox、report-uri

CSP LEVER2 加了一些新的規則:

child-src、form-action、frame-ancestors、plugin-types 。對於如今的移動端開發來講,lever2已經徹底可使用了。

詳細規則內容:(參考:https://content-security-policy.com/)

Directive  Example Value Description
default-src 'self' cdn.example.com The default-src is the default policy for loading content such as JavaScript, Images, CSS, Font's, AJAX requests, Frames, HTML5 Media. See the Source List Reference for possible values. 

CSP Level 1  25+  23+  7+  12+
script-src 'self' js.example.com Defines valid sources of JavaScript. 

CSP Level 1  25+  23+  7+  12+
style-src 'self' css.example.com Defines valid sources of stylesheets. 

CSP Level 1  25+  23+  7+  12+
img-src 'self' img.example.com Defines valid sources of images. 

CSP Level 1  25+  23+  7+  12+
connect-src 'self' Applies to XMLHttpRequest (AJAX), WebSocket or EventSource. If not allowed the browser emulates a 400 HTTP status code. 

CSP Level 1  25+  23+  7+  12+
font-src font.example.com Defines valid sources of fonts. 

CSP Level 1  25+  23+  7+  12+
object-src 'self' Defines valid sources of plugins, eg <object><embed> or <applet>

CSP Level 1  25+  23+  7+  12+
media-src media.example.com Defines valid sources of audio and video, eg HTML5 <audio><video> elements. 

CSP Level 1  25+  23+  7+  12+
frame-src 'self' Defines valid sources for loading frames. child-src is preferred over this deprecated directive. 

Deprecated
sandbox allow-forms allow-scripts Enables a sandbox for the requested resource similar to the iframe sandbox attribute. The sandbox applies a same origin policy, prevents popups, plugins and script execution is blocked. You can keep the sandbox value empty to keep all restrictions in place, or add values: allow-formsallow-same-origin allow-scripts allow-popupsallow-modalsallow-orientation-lockallow-pointer-lockallow-presentationallow-popups-to-escape-sandbox, and allow-top-navigation 

CSP Level 1  25+  50+  7+  12+
report-uri /some-report-uri Instructs the browser to POST a reports of policy failures to this URI. You can also append -Report-Only to the HTTP header name to instruct the browser to only send reports (does not block anything). 

CSP Level 1  25+  23+  7+  12+
child-src 'self' Defines valid sources for web wokers and nested browsing contexts loaded using elements such as <frame> and <iframe> 

CSP Level 2  40+  45+
form-action 'self' Defines valid sources that can be used as a HTML <form> action. 

CSP Level 2  40+  36+
frame-ancestors 'none' Defines valid sources for embedding the resource using <frame> <iframe> <object> <embed><applet>. Setting this directive to 'none' should be roughly equivalent to X-Frame-Options: DENY 

CSP Level 2  39+  33+
plugin-types application/pdf Defines valid MIME types for plugins invoked via <object> and <embed>. To load an <applet>you must specify application/x-java-applet

CSP Level 2  40+

參考文檔:

https://content-security-policy.com/

http://baike.baidu.com/link?url=d0CILP0CXyvCuc_pRv7-3gRNXjEPKwiDWEReXi4uzEr8IPkktX3VLfnUnRyc70cLn9zSyviOfmpS8aAWUd3xrK

相關文章
相關標籤/搜索