在内容安全策略 (CSP) 中,网站管理员可以定义多种策略范围。这些策略可以被任意组合来满足需求;您并不需要指定全部策略。
内容源
大多数策略指令需要一个或多个内容源。内容源是一串表明内容可能从哪里加载的字符串。
源列表
源列表是一个字符串,指定了一个或多个互联网主机(通过主机名或 IP 地址),和可选的 URL 协议和/或端口号。站点地址可以包含可选的通配符前缀 (星号, '*'),端口号也可以使用通配符 (同样是 '*') 来表明所有合法端口都是有效来源。主机通过空格分隔。
有效的主机表达式包括:
- https://*.foo.com
- 匹配所有使用
http:URL 协议加载 foo.com 任何子域名的尝试。 - mail.foo.com:443
- 匹配所有访问 mail.foo.com 的 443 端口 的尝试。
- https://store.foo.com
- 匹配所有使用
https:协议访问 store.foo.com 的尝试。
如果端口号没有被指定,浏览器会使用指定协议的默认端口号。如果协议没有被指定,浏览器会使用访问该文档时的协议。
关键字
有一些关键字可以用来描述某类特别的内容源。它们是:
'none'- 代表空集;即不匹配任何 URL。两侧单引号是必须的。
'self'- 代表和文档同源,包括相同的 URL 协议和端口号。两侧单引号是必须的。
'unsafe-inline'- 允许使用内联资源,如内联的
<script>元素、javascript:URL、内联的事件处理函数和内联的<style>元素。两侧单引号是必须的。 'unsafe-eval'- 允许使用
eval()等通过字符串创建代码的方法。两侧单引号是必须的。
例如,您可以指定内容能从文档源和 trustedscripts.foo.com 加载:
Content-Security-Policy: default-src 'self' trustedscripts.foo.com
数据
data: URI 是不安全的,如果它们被允许成为脚本来源,则会使您的网站有跨站脚本攻击风险。- data:
- 允许
data:URI 作为内容来源。这是不安全的,因为攻击者可以精心构造 data: URI 来攻击。请谨慎地使用这个源,并确保不要用于脚本。 - mediastream:
- 允许
mediastream:URI 作为内容源。
Content-Security-Policy: default-src 'self'; img-src 'self' data:; media-src mediastream:
支持的策略指令
以下策略指令可以为多种策略范围配置安全策略。
base-uri
base-uri 指令定义了 URI,它可以作为文档的基准 URL。如果没有指定值,那么任何 URI 都被允许。如果没有指定这条指令,浏览器会使用 base 元素中的 URL。
base-uri source-list
child-src
child-src 指定定义了 web workers 以及嵌套的浏览上下文(如 <frame> 和 <iframe> )的源。推荐使用该指令,而不是被废弃的 frame-src 指令。对于 web workers,不符合要求的请求会被当做致命网络错误。
default-src 指令。child-src source-list
connect-src
connect-src 指令定义了请求、XMLHttpRequest、WebSocket 和 EventSource 的连接来源。
default-src 指令。xhr-src was used in place of the connect-src directive and only restricted the use of XMLHttpRequest.connect-srcsource-list
default-src
default-src 指令定义了那些没有被更精确指令指定的(默认)安全策略。该指令包含了以下指令:
child-srcconnect-srcfont-srcimg-srcmedia-srcobject-srcscript-srcstyle-src
default-srcsource-list
font-src
The font-src directive specifies valid sources for fonts loaded using @font-face.
default-src directive.font-srcsource-list
form-action
The form-action directive specifies valid endpoints for <form> submissions.
form-action source-listframe-ancestors
The frame-ancestors directive specifies valid parents that may embed a page using the <frame> and <iframe> elements. This directive is not supported in the element or by the Content-Security-policy-Report-Only header field.
frame-ancestorssource-list
frame-src
The frame-src directive specifies valid sources for web workers and nested browsing contexts loading using elements such as <frame> and <iframe>.
child-src instead.frame-src source-list
img-src
The img-src directive specifies valid sources of images and favicons.
default-src directive.img-srcsource-list
media-src
The media-src directive specifies valid sources for loading media using the <audio> and <video> elements.
default-src directive.media-srcsource-list
object-src
The object-src directive specifies valid sources for the <object>, <embed>, and <applet> elements.
default-src directive.object-srcsource-list
plugin-types
The plugin-types directive specifies the valid plugins that the user agent may invoke.
plugin-types type-list
referrer
The referrer directive specifies information in the referrer header for links away from a page.
referrer value
reflected-xss
The reflected-xss directive instructs a user agent to activate or deactivate any heuristics used to filter or block reflected cross-site scripting attacks. Valid values are allow, block, and filter. This directive is not supported in the element.
meta element.reflected-xss value
report-uri
The report-uri directive instructs the user agent to report attempts to violate the Content Security Policy. These violation reports consist of JSON documents sent via an HTTP POST request to the specified URI. See Using CSP violation reports for details. This directive is not supported in the element.
report-uriuri
sandbox
The sandbox directive applies restrictions to a page's actions including preventing popups, preventing the execution of plugins and scripts, and enforcing a same-origin policy. This directive is not supported in the element or by the Content-Security-policy-Report-Only header field.
sandbox value
script-src
The script-src directive specifies valid sources for JavaScript. When either the script-src or the default-src directive is included, inline script and eval() are disabled unless you specify 'unsafe-inline' and 'unsafe-eval', respectively.
default-src directive.script-srcsource-list
style-src
The style-src directive specifies valid sources for stylesheets. This includes both externally-loaded stylesheets and inline use of the <style> element and HTML style attributes. Stylesheets from sources that aren't included in the source list are not requested or loaded. When either the style-src or the default-src directive is included, inline use of the <style> element and HTML style attributes are disabled unless you specify 'unsafe-inline'.
default-src directive.style-srcsource-list
report-uri as the content being protected by Content Security Policy.upgrade-insecure-requests
A Chrome-only policy that instructs user agents to treat all of a site's unsecure URL's (those serverd over HTTP) as though they have been replaced with secure URL's (those served over HTTPS). This directive is intended for web sites with large numbers of usecure legacy URL's that need to be rewritten. This feature was added in Chrome 43.0.
Specifications
| Specification | Status | Comment |
|---|---|---|
| Content Security Policy Level 2 CSP directives |
Candidate Recommendation | Added base-uri, child-src, form-action, frame-ancestors, plugin-types, referrer, reflected-xss. |
| Content Security Policy 1.0 CSP directives |
Candidate Recommendation | Initial definition. |
Browser compatibility
| Feature | Chrome | Firefox (Gecko) | Internet Explorer | Opera | Safari |
|---|---|---|---|---|---|
| Basic support |
14 (X-Webkit-CSP) 25 |
4.0 (2.0) (X-Content-Security-Policy) 24.0 (24.0) |
12 | 15 |
6 (X-Webkit-CSP) 7 |
| base-uri | |||||
| child-src | |||||
| connect-src | |||||
| default-src | |||||
| font-src | |||||
| form-action | 41 | 36.0 (36.0) | ? | ? | ? |
frame-ancestors |
41 | 4.0 (2.0) | ? | ? | ? |
| frame-src | |||||
| img-src | ? | ? | ? | ||
| media-src | |||||
| object-src | |||||
| plugin-types | |||||
| referrer | |||||
| reflected-xss | |||||
| report-uri | |||||
| sandbox | |||||
| script-src | |||||
| style-src |
| Feature | Android | Firefox Mobile (Gecko) | IE Mobile | Opera Mobile | Safari Mobile |
|---|---|---|---|---|---|
| Basic support | (Yes) | 4.0 (2.0) | ? | ? | iOS 7.1 |
frame-ancestors |
? | 4.0 (2.0) | ? | ? | ? |
form-action |
? | 36.0 (36.0) | ? | ? | ? |
Specifications
| Specification | Status | Comment |
|---|---|---|
| Content Security Policy Level 2.0 | Candidate Recommendation | Adds base-uri, child-src, form-action, frame-ancestors, plugin-types, referrer, reflected-xss, and report-uri. Deprecates frame-src. |
| Content Security Policy 1.0 | Candidate Recommendation | Defines connect-src, default-src, font-src, frame-src, img-src, media-src, objects-src, report-uri,sandbox, script-src, and style-src. |
See also