CSP 内容安全策略

CSP.md

CSP 内容安全策略

https://developers.google.com/web/fundamentals/security/csp/

CSP 基于白名单来源，因为此方法可明确指示浏览器将特定的资源集视为可接受的资源，并拒绝其余资源。

https://developers.google.com/web/fundamentals/security/csp/

TL;DR

• 使用白名单告诉客户端允许加载和不允许加载的内容。
• 了解可使用哪些指令。
• 了解这些指令接受哪些关键字。
• 内联代码和 eval() 被视为是有害的。
• 向服务器举报政策违规行为，以免执行这些行为。

    
<meta http-equiv="Content-Security-Policy" 
content="default-src https://cdn.example.net; child-src 'none'; object-src 'none'" />

https://github.com/xgqfrms-GitHub/webgeeker/blob/gh-pages/CSP/readme.md

https://publish.twitter.com/#
https://blog.twitter.com/2011/improving-browser-security-with-csp
https://developers.facebook.com/docs/plugins/like-button
https://developers.google.com/+/web/+1button/

Content-Security-Policy: 
default-src 'none'; 
script-src https://cdn.mybank.net; style-src https://cdn.mybank.net;
img-src https://cdn.mybank.net; 
connect-src https://api.mybank.com; child-src 'self'

Content-Security-Policy: 
default-src https:; 
script-src https: 'unsafe-inline';
style-src https: 'unsafe-inline'

Content Security Policy Level 3

W3C Working Draft, 13 September 2016

https://www.w3.org/TR/CSP3/

Content Security Policy Level 2

W3C Recommendation, 15 December 2016

https://www.w3.org/TR/CSP2/

CORS & CSP

Fetch API get json data

https://gist.github.com/xgqfrms-GitHub/840fe27cecb9e7217fb4f0b09db19406

CSP & CORS

document.readyState & DOMContentLoaded

https://gist.github.com/xgqfrms-GitHub/b0da64ef34e0ba8072de09599aeb4cbf