diff options
| author | Peter Bengtsson <mail@peterbe.com> | 2020-12-08 14:40:17 -0500 |
|---|---|---|
| committer | Peter Bengtsson <mail@peterbe.com> | 2020-12-08 14:40:17 -0500 |
| commit | 33058f2b292b3a581333bdfb21b8f671898c5060 (patch) | |
| tree | 51c3e392513ec574331b2d3f85c394445ea803c6 /files/zh-cn/web/http/headers/content-security-policy | |
| parent | 8b66d724f7caf0157093fb09cfec8fbd0c6ad50a (diff) | |
| download | translated-content-33058f2b292b3a581333bdfb21b8f671898c5060.tar.gz translated-content-33058f2b292b3a581333bdfb21b8f671898c5060.tar.bz2 translated-content-33058f2b292b3a581333bdfb21b8f671898c5060.zip | |
initial commit
Diffstat (limited to 'files/zh-cn/web/http/headers/content-security-policy')
15 files changed, 1569 insertions, 0 deletions
diff --git a/files/zh-cn/web/http/headers/content-security-policy/base-uri/index.html b/files/zh-cn/web/http/headers/content-security-policy/base-uri/index.html new file mode 100644 index 0000000000..1581c12994 --- /dev/null +++ b/files/zh-cn/web/http/headers/content-security-policy/base-uri/index.html @@ -0,0 +1,106 @@ +--- +title: 'CSP: base-uri' +slug: Web/HTTP/Headers/Content-Security-Policy/base-uri +tags: + - CSP + - HTTP + - 安全 + - 指令 + - 文档指令 +translation_of: Web/HTTP/Headers/Content-Security-Policy/base-uri +--- +<div>{{HTTPSidebar}}</div> + +<p>HTTP 协议 {{HTTPHeader("Content-Security-Policy")}} 首部字段中的 <strong><code>base-uri</code></strong> 指令限制了可以应用于一个文档的 {{HTMLElement("base")}} 元素的 URL。假如指令值为空,那么任何 URL 都是允许的。如果指令不存在,那么用户代理会使用 {{HTMLElement("base")}} 元素中的值。 </p> + +<table class="properties"> + <tbody> + <tr> + <th scope="row">CSP version</th> + <td>2</td> + </tr> + <tr> + <th scope="row">Directive type</th> + <td>{{Glossary("Document directive")}}</td> + </tr> + <tr> + <th scope="row">{{CSP("default-src")}} fallback</th> + <td>No. Not setting this allows anything.</td> + </tr> + </tbody> +</table> + +<h2 id="语法">语法</h2> + +<p>base-uri 安全策略可以设置一个或多个源:</p> + +<pre class="syntaxbox">Content-Security-Policy: base-uri <source>; +Content-Security-Policy: base-uri <source> <source>; +</pre> + +<h3 id="源">源</h3> + +<p>{{page("Web/HTTP/Headers/Content-Security-Policy/default-src", "Sources")}}</p> + +<h2 id="示例">示例</h2> + +<h3 id="Meta_tag_配置">Meta tag 配置</h3> + +<pre class="brush: html"><meta http-equiv="Content-Security-Policy" content="base-uri 'self'"></pre> + +<h3 id="Apache_配置">Apache 配置</h3> + +<pre class="brush: bash"><IfModule mod_headers.c> +Header set Content-Security-Policy "base-uri 'self'; +</IfModule></pre> + +<h3 id="Nginx_配置">Nginx 配置</h3> + +<pre class="brush: bash">add_header Content-Security-Policy "base-uri 'self';"</pre> + +<h3 id="违犯策略的案例"><em>违犯策略的案例</em></h3> + +<p>假如你的域名不是 example.com,那么将 {{HTMLElement("base")}} 元素的 href 属性值设置成 example.com 会违犯 CSP 策略。</p> + +<pre class="brush: html; example-bad"><meta http-equiv="Content-Security-Policy" content="base-uri 'self'"> +<base href="http://example.com/"> + +// Error: Refused to set the document's base URI to 'http://example.com/' +// because it violates the following Content Security Policy +// directive: "base-uri 'self'"</pre> + +<h2 id="规范">规范</h2> + +<table class="standard-table"> + <tbody> + <tr> + <th scope="col">Specification</th> + <th scope="col">Status</th> + <th scope="col">Comment</th> + </tr> + <tr> + <td>{{specName("CSP 3.0", "#directive-base-uri", "base-uri")}}</td> + <td>{{Spec2('CSP 3.0')}}</td> + <td>No changes.</td> + </tr> + <tr> + <td>{{specName("CSP 1.1", "#directive-base-uri", "base-uri")}}</td> + <td>{{Spec2('CSP 1.1')}}</td> + <td>Initial definition.</td> + </tr> + </tbody> +</table> + +<h2 id="浏览器兼容性">浏览器兼容性</h2> + +<p class="hidden">The compatibility table in this page is generated from structured data. If you'd like to contribute to the data, please check out <a href="https://github.com/mdn/browser-compat-data">https://github.com/mdn/browser-compat-data</a> and send us a pull request.</p> + +<p>{{Compat("http.headers.csp.base-uri")}}</p> + +<h2 id="相关内容">相关内容</h2> + +<ul> + <li>{{HTTPheader("Content-Security-Policy")}}</li> + <li>{{HTMLElement("base")}}</li> + <li>{{domxref("Node.baseURI")}}</li> +</ul> diff --git a/files/zh-cn/web/http/headers/content-security-policy/block-all-mixed-content/index.html b/files/zh-cn/web/http/headers/content-security-policy/block-all-mixed-content/index.html new file mode 100644 index 0000000000..bda0d06114 --- /dev/null +++ b/files/zh-cn/web/http/headers/content-security-policy/block-all-mixed-content/index.html @@ -0,0 +1,58 @@ +--- +title: 'CSP: block-all-mixed-content' +slug: Web/HTTP/Headers/Content-Security-Policy/block-all-mixed-content +translation_of: Web/HTTP/Headers/Content-Security-Policy/block-all-mixed-content +--- +<div>{{HTTPSidebar}}</div> + +<p>HTTP 协议首部字段 {{HTTPHeader("Content-Security-Policy")}} (CSP) 中的 <code><strong>block-all-mixed-content</strong></code> 指令在当前页面为通过 HTTPS 协议加载的情况下禁止通过 HTTP 渠道加载任何资源。</p> + +<p>任何<a href="/en-US/docs/Web/Security/Mixed_content">混合类型</a>的资源请求都是被禁止的,包括混合活动内容和混合被动内容。这一条也适用于 {{HTMLElement("iframe")}} 中的文档,确保整体页面都不包含混合内容。</p> + +<p>{{CSP("upgrade-insecure-requests")}} 指令会在 <code>block-all-mixed-content</code> 之前执行;如果前者执行成功,后者就不再发挥任何作用。推荐的做法是设置二者之一,而不是全部。</p> + +<h2 id="语法">语法</h2> + +<pre class="syntaxbox">Content-Security-Policy: block-all-mixed-content;</pre> + +<h2 id="示例">示例</h2> + +<pre>Content-Security-Policy: block-all-mixed-content; + +<meta http-equiv="Content-Security-Policy" content="block-all-mixed-content"> +</pre> + +<p>为了在更细粒度上限制对 http 资源的访问,你可以将个别指令的值设置为 "https:"。例如,为了限制对不安全的走 http 协议的图片的访问,可以这么做:</p> + +<pre>Content-Security-Policy: img-src https:</pre> + +<h2 id="规范">规范</h2> + +<table class="standard-table"> + <tbody> + <tr> + <th scope="col">Specification</th> + <th scope="col">Status</th> + <th scope="col">Comment</th> + </tr> + <tr> + <td>{{specName("Mixed Content", "#block-all-mixed-content", "block-all-mixed-content")}}</td> + <td>{{Spec2('Mixed Content')}}</td> + <td>Initial definition.</td> + </tr> + </tbody> +</table> + +<h2 id="浏览器兼容性">浏览器兼容性</h2> + +<p class="hidden">The compatibility table in this page is generated from structured data. If you'd like to contribute to the data, please check out <a href="https://github.com/mdn/browser-compat-data">https://github.com/mdn/browser-compat-data</a> and send us a pull request.</p> + +<p>{{Compat("http.headers.csp.block-all-mixed-content")}}</p> + +<h2 id="相关内容">相关内容</h2> + +<ul> + <li>{{HTTPHeader("Content-Security-Policy")}}</li> + <li>{{CSP("upgrade-insecure-requests")}}</li> + <li><a href="/en-US/docs/Web/Security/Mixed_content">Mixed content</a></li> +</ul> diff --git a/files/zh-cn/web/http/headers/content-security-policy/child-src/index.html b/files/zh-cn/web/http/headers/content-security-policy/child-src/index.html new file mode 100644 index 0000000000..6299b2768c --- /dev/null +++ b/files/zh-cn/web/http/headers/content-security-policy/child-src/index.html @@ -0,0 +1,89 @@ +--- +title: 'CSP: child-src' +slug: Web/HTTP/Headers/Content-Security-Policy/child-src +translation_of: Web/HTTP/Headers/Content-Security-Policy/child-src +--- +<div>{{HTTPSidebar}}</div> + +<p>The HTTP {{HTTPHeader("Content-Security-Policy")}} (CSP) <strong><code>child-src</code></strong> directive defines the valid sources for <a href="/en-US/docs/Web/API/Web_Workers_API">web workers</a> and nested <a id="002" name="002">browsing </a>contexts loaded using elements such as {{HTMLElement("frame")}} and {{HTMLElement("iframe")}}. For workers, non-compliant requests are treated as fatal network errors by the user agent.</p> + +<table class="properties"> + <tbody> + <tr> + <th scope="row">CSP version</th> + <td>2</td> + </tr> + <tr> + <th scope="row">Directive type</th> + <td>{{Glossary("Fetch directive")}}</td> + </tr> + <tr> + <th scope="row">{{CSP("default-src")}} fallback</th> + <td>Yes. If this directive is absent, the user agent will look for the <code>default-src</code> directive.</td> + </tr> + </tbody> +</table> + +<h2 id="Syntax">Syntax</h2> + +<p>One or more sources can be allowed for the child-src policy:</p> + +<pre class="syntaxbox">Content-Security-Policy: child-src <source>; +Content-Security-Policy: child-src <source> <source>; +</pre> + +<h3 id="Sources">Sources</h3> + +<p>{{page("Web/HTTP/Headers/Content-Security-Policy/connect-src", "Sources")}}</p> + +<h2 id="Examples">Examples</h2> + +<h3 id="Violation_cases">Violation cases</h3> + +<p>Given this CSP header:</p> + +<pre class="brush: bash">Content-Security-Policy: child-src https://example.com/</pre> + +<p>This {{HTMLElement("iframe")}} and worker are blocked and won't load:</p> + +<pre class="brush: html"><iframe src="https://not-example.com"></iframe> + +<script> + var blockedWorker = new Worker("data:application/javascript,..."); +</script></pre> + +<h2 id="Specifications">Specifications</h2> + +<table class="standard-table"> + <tbody> + <tr> + <th scope="col">Specification</th> + <th scope="col">Status</th> + <th scope="col">Comment</th> + </tr> + <tr> + <td>{{specName("CSP 3.0", "#directive-child-src", "child-src")}}</td> + <td>{{Spec2('CSP 3.0')}}</td> + <td>No changes.</td> + </tr> + <tr> + <td>{{specName("CSP 1.1", "#directive-child-srci", "child-src")}}</td> + <td>{{Spec2('CSP 1.1')}}</td> + <td>Initial definition.</td> + </tr> + </tbody> +</table> + +<h2 id="Browser_compatibility">Browser compatibility</h2> + +<p class="hidden">The compatibility table in this page is generated from structured data. If you'd like to contribute to the data, please check out <a href="https://github.com/mdn/browser-compat-data">https://github.com/mdn/browser-compat-data</a> and send us a pull request.</p> + +<p>{{Compat("http.headers.csp.Content-Security-Policy.child-src")}}</p> + +<h2 id="See_also">See also</h2> + +<ul> + <li>{{HTTPHeader("Content-Security-Policy")}}</li> + <li>{{HTMLElement("frame")}} and {{HTMLElement("iframe")}}</li> + <li>{{domxref("Worker")}}, {{domxref("SharedWorker")}}, {{domxref("ServiceWorker")}}</li> +</ul> diff --git a/files/zh-cn/web/http/headers/content-security-policy/connect-src/index.html b/files/zh-cn/web/http/headers/content-security-policy/connect-src/index.html new file mode 100644 index 0000000000..3951f7ee6b --- /dev/null +++ b/files/zh-cn/web/http/headers/content-security-policy/connect-src/index.html @@ -0,0 +1,114 @@ +--- +title: 'CSP: connect-src' +slug: Web/HTTP/Headers/Content-Security-Policy/connect-src +translation_of: Web/HTTP/Headers/Content-Security-Policy/connect-src +--- +<div>{{HTTPSidebar}}</div> + +<p>HTTP协议头部{{HTTPHeader("Content-Security-Policy")}} (CSP)的<code><strong>connect</strong></code><strong><code>-src</code></strong> 指令用于控制允许通过脚本接口加载的链接地址。其中受到影响的API如下: </p> + +<ul> + <li>{{HTMLElement("a")}} {{htmlattrxref("ping", "a")}},</li> + <li>{{domxref("Fetch")}},</li> + <li>{{domxref("XMLHttpRequest")}},</li> + <li>{{domxref("WebSocket")}}, and</li> + <li>{{domxref("EventSource")}}.</li> +</ul> + +<table class="properties"> + <tbody> + <tr> + <th scope="row">CSP version</th> + <td>1</td> + </tr> + <tr> + <th scope="row">Directive type</th> + <td>{{Glossary("Fetch directive")}}</td> + </tr> + <tr> + <th scope="row">{{CSP("default-src")}} fallback</th> + <td>Yes. If this directive is absent, the user agent will look for the <code>default-src</code> directive.</td> + </tr> + </tbody> +</table> + +<h2 id="Syntax">Syntax</h2> + +<p>connect-src 可以设置一个或者多个源地址: </p> + +<pre class="syntaxbox">Content-Security-Policy: connect-src <source>; +Content-Security-Policy: connect-src <source> <source>; +</pre> + +<h3 id="Sources">Sources</h3> + +<p>{{page("/Web/HTTP/Headers/Content-Security-Policy/default-src", "Sources")}}</p> + +<h2 id="Examples">Examples</h2> + +<h3 id="Violation_cases">Violation cases</h3> + +<p>给定如下CSP头部: </p> + +<pre class="brush: bash">Content-Security-Policy: connect-src https://example.com/</pre> + +<p>如下的连接请求会被阻塞且不会加载: </p> + +<pre class="brush: html"><a ping="https://not-example.com"> + +<script> + var xhr = new XMLHttpRequest(); + xhr.open('GET', 'https://not-example.com/'); + xhr.send(); + + var ws = new WebSocket("https://not-example.com/"); + + var es = new EventSource("https://not-example.com/"); + + navigator.sendBeacon("https://not-example.com/", { ... }); +</script></pre> + +<h2 id="Specifications">Specifications</h2> + +<table class="standard-table"> + <tbody> + <tr> + <th scope="col">Specification</th> + <th scope="col">Status</th> + <th scope="col">Comment</th> + </tr> + <tr> + <td>{{specName("CSP 3.0", "#directive-connect-src", "connect-src")}}</td> + <td>{{Spec2('CSP 3.0')}}</td> + <td>No changes.</td> + </tr> + <tr> + <td>{{specName("CSP 1.1", "#directive-connect-src", "connect-src")}}</td> + <td>{{Spec2('CSP 1.1')}}</td> + <td>Initial definition.</td> + </tr> + </tbody> +</table> + +<h2 id="Browser_compatibility">Browser compatibility</h2> + +<p class="hidden">The compatibility table in this page is generated from structured data. If you'd like to contribute to the data, please check out <a href="https://github.com/mdn/browser-compat-data">https://github.com/mdn/browser-compat-data</a> and send us a pull request.</p> + +<p>{{Compat("http.headers.csp.connect-src")}}</p> + +<h2 id="Compatibility_notes">Compatibility notes</h2> + +<ul> + <li>Prior to Firefox 23, <code>xhr-src</code> was used in place of the <code>connect-src</code> directive and only restricted the use of {{domxref("XMLHttpRequest")}}.</li> +</ul> + +<h2 id="See_also">See also</h2> + +<ul> + <li>{{HTTPHeader("Content-Security-Policy")}}</li> + <li>{{HTMLElement("a")}} {{htmlattrxref("ping", "a")}}</li> + <li>{{domxref("Fetch")}}</li> + <li>{{domxref("XMLHttpRequest")}}</li> + <li>{{domxref("WebSocket")}}</li> + <li>{{domxref("EventSource")}}</li> +</ul> diff --git a/files/zh-cn/web/http/headers/content-security-policy/default-src/index.html b/files/zh-cn/web/http/headers/content-security-policy/default-src/index.html new file mode 100644 index 0000000000..01cbd8079d --- /dev/null +++ b/files/zh-cn/web/http/headers/content-security-policy/default-src/index.html @@ -0,0 +1,151 @@ +--- +title: 'CSP: default-src' +slug: Web/HTTP/Headers/Content-Security-Policy/default-src +tags: + - 内容安全策略 + - 安全 + - 超文本传输协议 +translation_of: Web/HTTP/Headers/Content-Security-Policy/default-src +--- +<div>{{HTTPSidebar}}</div> + +<p>在 HTTP 协议中,{{HTTPHeader("Content-Security-Policy")}} (CSP) 首部字段中的 <code><strong>default</strong></code><strong><code>-src</code></strong> 指令可以为其他 CSP 拉取指令({{Glossary("fetch directive", "fetch directives")}})提供备选项。对于以下列出的指令,假如不存在的话,那么用户代理会查找并应用 default-src 指令的值。</p> + +<ul> + <li>{{CSP("child-src")}}</li> + <li>{{CSP("connect-src")}}</li> + <li>{{CSP("font-src")}}</li> + <li>{{CSP("frame-src")}}</li> + <li>{{CSP("img-src")}}</li> + <li>{{CSP("manifest-src")}}</li> + <li>{{CSP("media-src")}}</li> + <li>{{CSP("object-src")}}</li> + <li>{{CSP("script-src")}}</li> + <li>{{CSP("style-src")}}</li> + <li>{{CSP("worker-src")}}</li> +</ul> + +<table class="properties"> + <tbody> + <tr> + <th scope="row">CSP 版本</th> + <td>1</td> + </tr> + <tr> + <th scope="row">指令类型</th> + <td>{{Glossary("Fetch directive")}}</td> + </tr> + </tbody> +</table> + +<h2 id="语法">语法</h2> + +<p><code>default-src</code> 策略允许指定一个或多个源:</p> + +<pre class="syntaxbox">Content-Security-Policy: default-src <source>; +Content-Security-Policy: default-src <source> <source>; +</pre> + +<h3 id="源">源</h3> + +<p><source> 可以是以下之一:</p> + +<dl> + <dt><host-source></dt> + <dd>以域名或者 IP 地址表示的主机名,外加可选的 URL 协议名(<a href="/en-US/docs/URIs_and_URLs">URL scheme</a>)以及端口号。站点地址中可能会包含一个可选的前置通配符(星号 '*'),同时也可以将通配符(也是'*')应用于端口号,表示在这个源中可以使用任意合法的端口号。<br> + 举例说明: + <ul> + <li><code>http://*.example.com:</code> 匹配从使用 http: 的 example.com 的任意子域的资源加载。</li> + <li><code>mail.example.com:443:</code>匹配对 mail.example.com 上的 443 端口号的访问。</li> + <li><code>https://store.example.com</code>: 匹配对使用了 https: 的 store.example.com 的访问。</li> + </ul> + </dd> + <dt><scheme-source></dt> + <dd>协议名如'http:' 或者 'https:'。<strong>必须带有冒号,不要有单引号</strong>。同时你还可以指定数据协议(data schema)(不推荐使用)。 + <ul> + <li><code>data:</code> 允许 <a href="/en-US/docs/Web/HTTP/Basics_of_HTTP/Data_URIs"><code>data:</code> URIs</a> 作为内容的源<em>。这是不安全的。攻击者可以注入任意 data: URI 。不要轻易使用这种形式的源,尤其是脚本,绝对不要使用。</em></li> + <li><code>mediastream:</code> 允许 <a href="/en-US/docs/Web/API/MediaStream_API"><code>mediastream:</code> URIs</a> 作为内容的源<em>。</em></li> + <li><code>blob:</code> 允许 <a href="/en-US/docs/Web/API/Blob"><code>blob:</code> URIs</a> 作为内容的源<em>。</em></li> + <li><code>filesystem:</code> 允许 <a href="/en-US/docs/Web/API/FileSystem"><code>filesystem:</code> URIs</a> 作为内容的源<em>。</em></li> + </ul> + </dd> + <dt><code>'self'</code></dt> + <dd>指向与要保护的文件所在的源,包括相同的 URL scheme 与端口号。必须有单引号。一些浏览器会特意排除 blob 与 filesystem 。需要设定这两种内容类型的站点可以在 Data 属性中进行设定。</dd> + <dt><code>'unsafe-inline'</code></dt> + <dd>允许使用内联资源,例如内联 {{HTMLElement("script")}} 元素(javascript: URL)、内联事件处理器以及内联 {{HTMLElement("style")}} 元素。必须有单引号。</dd> + <dt><code>'unsafe-eval'</code></dt> + <dd>允许使用 eval() 以及相似的函数来从字符串创建代码。必须有单引号。</dd> + <dt><code>'none'</code></dt> + <dd>不允许任何内容。 必须有单引号。</dd> + <dt>'nonce-<base64值>'</dt> + <dd>特定使用一次性加密内联脚本的白名单。服务器必须在每一次传输政策时生成唯一的一次性值。否则将存在绕过资源政策的可能。请参见<a href="/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/script-src#Unsafe_inline_script">不安全的内联脚本</a>查看示例。</dd> + <dt><hash-source></dt> + <dd>使用 sha256、sha384 或 sha512 编码过的内联脚本或样式。其由用短划线分隔的两部分组成: 用于创建哈希的加密算法, 以及脚本或样式base64编码的哈希值。当生成哈希值的时候,不要包含 <script> 或 <style> 标签,同时注意字母大小写与空格——包括首尾空格——都是会影响生成的结果的。请参见<a href="/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/script-src#Unsafe_inline_script">不安全的内联脚本</a>。</dd> + <dt>'strict-dynamic'</dt> + <dd>strict-dynamic 指定对于含有标记脚本(通过附加一个随机数或散列)的信任,应该传播到由该脚本加载的所有脚本。与此同时,任何白名单以及源表达式例如 'self' 或者 'unsafe-inline' 都会被忽略。参见 <a href="/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/script-src#strict-dynamic">script-src</a> 。</dd> +</dl> + +<h2 id="示例">示例</h2> + +<h3 id="不继承_default-src_的情况"><code><font face="x-locale-heading-primary, zillaslab, Palatino, Palatino Linotype, x-locale-heading-secondary, serif">不继承 </font>default-src 的情况</code></h3> + +<p>假如设定了其他指令,那么 <code>default-src</code> 不会对它们起作用。这个首部</p> + +<pre class="brush: bash">Content-Security-Policy: default-src 'self'; script-src https://example.com</pre> + +<p>与下列代码等价:</p> + +<pre class="brush: bash">Content-Security-Policy: connect-src 'self'; + font-src 'self'; + frame-src 'self'; + img-src 'self'; + manifest-src 'self'; + media-src 'self'; + object-src 'self'; + script-src https://example.com; + style-src 'self'; + worker-src 'self'</pre> + +<h2 id="规范">规范</h2> + +<table class="standard-table"> + <tbody> + <tr> + <th scope="col">规范</th> + <th scope="col">状态</th> + <th scope="col">注释</th> + </tr> + <tr> + <td>{{specName("CSP 3.0", "#directive-default-src", "default-src")}}</td> + <td>{{Spec2('CSP 3.0')}}</td> + <td>Added <code>frame-src</code>, <code>manifest-src</code> and <code>worker-src</code> as defaults.</td> + </tr> + <tr> + <td>{{specName("CSP 1.1", "#directive-default-src", "default-src")}}</td> + <td>{{Spec2('CSP 1.1')}}</td> + <td>Initial definition.</td> + </tr> + </tbody> +</table> + +<h2 id="浏览器兼容性">浏览器兼容性</h2> + +<p class="hidden">此页中的兼容性表格从已构建的数据中生成。若您想贡献数据,请前往<a href="https://github.com/mdn/browser-compat-data">https://github.com/mdn/browser-compat-data</a>并向我们发送Pull request。</p> + +<p>{{Compat("http.headers.csp.default-src")}}</p> + +<h2 id="另请参阅">另请参阅</h2> + +<ul> + <li>{{HTTPHeader("Content-Security-Policy")}}</li> + <li>{{CSP("connect-src")}}</li> + <li>{{CSP("font-src")}}</li> + <li>{{CSP("frame-src")}}</li> + <li>{{CSP("img-src")}}</li> + <li>{{CSP("manifest-src")}}</li> + <li>{{CSP("media-src")}}</li> + <li>{{CSP("object-src")}}</li> + <li>{{CSP("script-src")}}</li> + <li>{{CSP("style-src")}}</li> + <li>{{CSP("worker-src")}}</li> +</ul> diff --git a/files/zh-cn/web/http/headers/content-security-policy/font-src/index.html b/files/zh-cn/web/http/headers/content-security-policy/font-src/index.html new file mode 100644 index 0000000000..89d24a698c --- /dev/null +++ b/files/zh-cn/web/http/headers/content-security-policy/font-src/index.html @@ -0,0 +1,99 @@ +--- +title: 'CSP: font-src' +slug: Web/HTTP/Headers/Content-Security-Policy/font-src +tags: + - CSP + - HTTP + - 内容安全策略 + - 参考 + - 安全 +translation_of: Web/HTTP/Headers/Content-Security-Policy/font-src +--- +<div>{{HTTPSidebar}}</div> + +<p>HTTP {{HTTPHeader("Content-Security-Policy")}} (CSP 内容安全策略) 中 <code><strong>font</strong></code><strong><code>-src</code></strong> 指令定义了 {{cssxref("@font-face")}} 加载字体的有效源规则。</p> + +<table class="properties"> + <tbody> + <tr> + <th scope="row">CSP 版本</th> + <td>1</td> + </tr> + <tr> + <th scope="row">指令类型</th> + <td>{{Glossary("Fetch directive")}}</td> + </tr> + <tr> + <th scope="row">{{CSP("default-src")}} 替代</th> + <td>是。如果 <code><strong>font</strong></code><strong><code>-src</code></strong> 没有指定,则使用 <code>default-src</code> 指令。</td> + </tr> + </tbody> +</table> + +<h2 id="语法">语法</h2> + +<p><code>font-src</code> 策略可以包含一个或多个源:</p> + +<pre class="syntaxbox">Content-Security-Policy: font-src <source>; +Content-Security-Policy: font-src <source> <source>; +</pre> + +<h3 id="源代码">源代码</h3> + +<p>{{page("Web/HTTP/Headers/Content-Security-Policy/default-src", "Sources")}}</p> + +<h2 id="示例">示例</h2> + +<h3 id="反例">反例</h3> + +<p>给出这个 CSP 头:</p> + +<pre class="brush: bash">Content-Security-Policy: font-src https://example.com/ +</pre> + +<p>以下的字体源将被阻止,不会加载到浏览器中:</p> + +<pre class="brush: html"><style> + @font-face { + font-family: "MyFont"; + src: url("https://not-example.com/font"); + } + body { + font-family: "MyFont"; + } +</style></pre> + +<h2 id="规范">规范</h2> + +<table class="standard-table"> + <tbody> + <tr> + <th scope="col">Specification</th> + <th scope="col">Status</th> + <th scope="col">Comment</th> + </tr> + <tr> + <td>{{specName("CSP 3.0", "#directive-font-src", "font-src")}}</td> + <td>{{Spec2('CSP 3.0')}}</td> + <td>无变化</td> + </tr> + <tr> + <td>{{specName("CSP 1.1", "#directive-font-src", "font-src")}}</td> + <td>{{Spec2('CSP 1.1')}}</td> + <td>首次定义</td> + </tr> + </tbody> +</table> + +<h2 id="浏览器兼容性">浏览器兼容性</h2> + +<p class="hidden">本页的兼容性表是根据结构化的数据生成的。如果你想贡献更多数据,请到 <a href="https://github.com/mdn/browser-compat-data">https://github.com/mdn/browser-compat-data</a> 并给我们发 pull request。</p> + +<p>{{Compat("http.headers.csp.font-src")}}</p> + +<h2 id="See_also">See also</h2> + +<ul> + <li>{{HTTPHeader("Content-Security-Policy")}}</li> + <li>{{cssxref("@font-face")}}</li> +</ul> diff --git a/files/zh-cn/web/http/headers/content-security-policy/form-action/index.html b/files/zh-cn/web/http/headers/content-security-policy/form-action/index.html new file mode 100644 index 0000000000..8bf84073c7 --- /dev/null +++ b/files/zh-cn/web/http/headers/content-security-policy/form-action/index.html @@ -0,0 +1,102 @@ +--- +title: 'CSP: form-action' +slug: Web/HTTP/Headers/Content-Security-Policy/form-action +translation_of: Web/HTTP/Headers/Content-Security-Policy/form-action +--- +<div>{{HTTPSidebar}}</div> + +<p>HTTP {{HTTPHeader("Content-Security-Policy")}} (CSP) 的 <code><strong>form</strong></code><strong><code>-action</code></strong> 指令能够限定当前页面中表单的提交地址。</p> + +<div class="warning"> +<p>在表单提交之后, <code>form-action</code> 指令是否应该阻止重定向仍有待讨论,各个浏览器对于此行为的实现也不尽相同(例如,Chrome 63会阻止重定向,而Firefox 57则不会)。</p> +</div> + +<table class="properties"> + <tbody> + <tr> + <th scope="row">CSP version</th> + <td>2</td> + </tr> + <tr> + <th scope="row">Directive type</th> + <td>{{Glossary("Navigation directive")}}</td> + </tr> + <tr> + <th scope="row">{{CSP("default-src")}} fallback</th> + <td>No. 未设定时允许任何值.</td> + </tr> + </tbody> +</table> + +<h2 id="语法">语法</h2> + +<p><code>form-action</code> 策略允许设定一个或多个源:</p> + +<pre class="syntaxbox">Content-Security-Policy: form-action <source>; +Content-Security-Policy: form-action <source> <source>; +</pre> + +<h2 id="示例">示例</h2> + +<h3 id="meta标签配置">meta标签配置</h3> + +<pre class="brush: html"><meta http-equiv="Content-Security-Policy" content="form-action 'none'"></pre> + +<h3 id="Apache服务器配置">Apache服务器配置</h3> + +<pre class="brush: bash"><IfModule mod_headers.c> +Header set Content-Security-Policy "form-action 'none'; +</IfModule></pre> + +<h3 id="Nginx配置">Nginx配置</h3> + +<pre class="brush: bash">add_header Content-Security-Policy "form-action 'none';"</pre> + +<h3 id="反例">反例</h3> + +<p>将 {{HTMLElement("form")}} 元素的action设置为内联 JavaScript 会违反CSP规则。</p> + +<pre class="brush: html; example-bad"><meta http-equiv="Content-Security-Policy" content="form-action 'none'"> + +<form action="javascript:alert('Foo')" id="form1" method="post"> + <input type="text" name="fieldName" value="fieldValue"> + <input type="submit" id="submit" value="submit"> +</form> + +// Error: Refused to send form data because it violates the following +// Content Security Policy directive: "form-action 'none'".</pre> + +<h2 id="规范">规范</h2> + +<table class="standard-table"> + <tbody> + <tr> + <th scope="col">Specification</th> + <th scope="col">Status</th> + <th scope="col">Comment</th> + </tr> + <tr> + <td>{{specName("CSP 3.0", "#directive-form-action", "form-action")}}</td> + <td>{{Spec2('CSP 3.0')}}</td> + <td>No changes.</td> + </tr> + <tr> + <td>{{specName("CSP 1.1", "#directive-form-action", "form-action")}}</td> + <td>{{Spec2('CSP 1.1')}}</td> + <td>Initial definition.</td> + </tr> + </tbody> +</table> + +<h2 id="浏览器兼容性">浏览器兼容性</h2> + +<p class="hidden">本页面的兼容性列表由结构化数据生成,如果你想完善这些数据,请移步 <a href="https://github.com/mdn/browser-compat-data">https://github.com/mdn/browser-compat-data</a> 并向我们发起pull request。</p> + +<p>{{Compat("http.headers.csp.form-action")}}</p> + +<h2 id="参见">参见</h2> + +<ul> + <li>{{HTTPheader("Content-Security-Policy")}}</li> + <li>{{HTMLElement("form")}}</li> +</ul> diff --git a/files/zh-cn/web/http/headers/content-security-policy/frame-ancestors/index.html b/files/zh-cn/web/http/headers/content-security-policy/frame-ancestors/index.html new file mode 100644 index 0000000000..23dd67cca2 --- /dev/null +++ b/files/zh-cn/web/http/headers/content-security-policy/frame-ancestors/index.html @@ -0,0 +1,110 @@ +--- +title: 'CSP: frame-ancestors' +slug: Web/HTTP/Headers/Content-Security-Policy/frame-ancestors +translation_of: Web/HTTP/Headers/Content-Security-Policy/frame-ancestors +--- +<div>{{HTTPSidebar}}</div> + +<p>HTTP头部 {{HTTPHeader("Content-Security-Policy")}} (CSP) <code>中的<strong>frame-ancestors</strong></code> 指令指定了一个可以包含{{HTMLElement("frame")}},{{HTMLElement("iframe")}},{{HTMLElement("object")}},{{HTMLElement("embed")}},or {{HTMLElement("applet")}}等元素的有效父级。</p> + +<p>当该指令设置为<code>'none'时,其作用类似于</code>{{HTTPHeader("X-Frame-Options")}}<code>: DENY</code> (该头部被一些老版本浏览器所支持)。</p> + +<table class="properties"> + <tbody> + <tr> + <th scope="row">CSP版本(CSP version)</th> + <td>2</td> + </tr> + <tr> + <th scope="row">指令类型(Directive type)</th> + <td>{{Glossary("Navigation directive")}}</td> + </tr> + <tr> + <th scope="row">是否后备使用{{CSP("default-src")}}</th> + <td>否。如未设置则允许所有可能值。</td> + </tr> + <tr> + <th colspan="2" scope="row">该指令不支持通过{{HTMLElement("meta")}} 元素或通过 {{HTTPHeader("Content-Security-policy-Report-Only")}} 头域所指定.</th> + </tr> + </tbody> +</table> + +<h2 id="Syntax">Syntax</h2> + +<p><code>frame-ancestors</code>策略可以设置一个或多个源<source>:</p> + +<pre class="syntaxbox">Content-Security-Policy: frame-ancestors <source>; +Content-Security-Policy: frame-ancestors <source> <source>; +</pre> + +<h3 id="Sources">Sources</h3> + +<p><source> 可以是如下内容:</p> + +<div class="note"> +<p><code>frame-ancestors</code>指令的语法类似于其他指令的源列表(source list,如{{CSP("default-src")}}),但不允许<code>'unsafe-eval'或</code><code>'unsafe-inline'</code> 。它也不会回退使用<code>default-src</code>的值。仅有如下的源列表是可用的:</p> +</div> + +<dl> + <dt><host-source></dt> + <dd>一个Internet主机的名称或IP地址,以及一个可选的<a href="/en-US/docs/URIs_and_URLs">URL scheme</a>和/或端口号。这些站点的地址可以包含一个可选的引导通配符(星号, <code>'*'),或者你可以使用通配符</code>(同样还是, <code>'*')作为端口地址</code>,以示这个源的所有合法端口地址都是有效的。<br> + 例子: + <ul> + <li><code>http://*.example.com</code>: 匹配所有使用http:URL scheme并来对于example.com及其子域名的加载意图。</li> + <li><code>mail.example.com:443</code>: 匹配所有对于mail.example.com在443端口的访问意图。</li> + <li><code>https://store.example.com</code>: 匹配所有使用https:访问store.example.com的意图。</li> + </ul> + </dd> + <dt><scheme-source></dt> + <dd>一个schema配置,比如'http:'或'https:'。注意,冒号是必要的。你同样也可以指定一个data schema(但并不推荐)。 + <ul> + <li>'<code>data:</code>' 允许 <a href="/en-US/docs/Web/HTTP/Basics_of_HTTP/Data_URIs"><code>data:</code> URIs</a> 作为内容源。<em> 这是不安全的,攻击者可以用此来注入恶意代码。请谨慎使用,并不要令其作用于脚本。</em></li> + <li><code>'mediastream:'</code> 允许 <a href="/en-US/docs/Web/API/MediaStream_API"><code>mediastream:</code> URIs</a> 作为内容源.</li> + <li><code>'blob:'</code> 允许 <a href="/en-US/docs/Web/API/Blob"><code>blob:</code> URIs</a> 作为内容源.</li> + <li><code>'filesystem:'</code> 允许 <a href="/en-US/docs/Web/API/FileSystem"><code>filesystem:</code> URIs</a> 作为内容源.</li> + </ul> + </dd> + <dt><code>'self'</code></dt> + <dd>指向一个该受保护文档所在的源,包含同样的URL schema和端口号。必须用单引号设置。有些浏览器会从源指令中排<code>除blob</code>和<code>filesystem</code>。需要允许这些内容类型的站点可以通过Data属性指定它们。</dd> + <dt><code>'none'</code></dt> + <dd>指向一个空集,意味着没有URL会被匹配。也需要单引号包裹设置。</dd> +</dl> + +<h2 id="Examples">Examples</h2> + +<pre class="brush: bash">Content-Security-Policy: frame-ancestors 'none';</pre> + +<h2 id="Specifications">Specifications</h2> + +<table class="standard-table"> + <tbody> + <tr> + <th scope="col">Specification</th> + <th scope="col">Status</th> + <th scope="col">Comment</th> + </tr> + <tr> + <td>{{specName("CSP 3.0", "#directive-frame-ancestors", "frame-ancestors")}}</td> + <td>{{Spec2('CSP 3.0')}}</td> + <td>No changes.</td> + </tr> + <tr> + <td>{{specName("CSP 1.1", "#directive-frame-ancestors", "frame-ancestors")}}</td> + <td>{{Spec2('CSP 1.1')}}</td> + <td>Initial definition.</td> + </tr> + </tbody> +</table> + +<h2 id="Browser_compatibility">Browser compatibility</h2> + +<p class="hidden">The compatibility table in this page is generated from structured data. If you'd like to contribute to the data, please check out <a href="https://github.com/mdn/browser-compat-data">https://github.com/mdn/browser-compat-data</a> and send us a pull request.</p> + +<p>{{Compat("http.headers.csp.frame-ancestors")}}</p> + +<h2 id="See_also">See also</h2> + +<ul> + <li>{{HTTPHeader("Content-Security-Policy")}}</li> + <li>{{HTTPHeader("X-Frame-Options")}}</li> +</ul> diff --git a/files/zh-cn/web/http/headers/content-security-policy/index.html b/files/zh-cn/web/http/headers/content-security-policy/index.html new file mode 100644 index 0000000000..391086d5a6 --- /dev/null +++ b/files/zh-cn/web/http/headers/content-security-policy/index.html @@ -0,0 +1,226 @@ +--- +title: Content-Security-Policy +slug: Web/HTTP/Headers/Content-Security-Policy +translation_of: Web/HTTP/Headers/Content-Security-Policy +--- +<div>{{HTTPSidebar}}</div> + +<div>HTTP 响应头<strong><code>Content-Security-Policy</code></strong>允许站点管理者控制用户代理能够为指定的页面加载哪些资源。除了少数例外情况,设置的政策主要涉及指定服务器的源和脚本结束点。这将帮助防止跨站脚本攻击(<code>Cross-Site Script</code>)({{Glossary("XSS")}})。</div> + +<p>如需更多信息,请查阅<a href="/en-US/docs/Web/HTTP/CSP">Content Security Policy (CSP)</a>。</p> + +<table class="properties"> + <tbody> + <tr> + <th scope="row">头部类型</th> + <td>{{Glossary("Response header")}}</td> + </tr> + <tr> + <th scope="row">{{Glossary("Forbidden header name")}}</th> + <td>no</td> + </tr> + </tbody> +</table> + +<h2 id="语法">语法</h2> + +<pre class="syntaxbox">Content-Security-Policy: <policy-directive>; <policy-directive> +</pre> + +<h2 id="指令">指令</h2> + +<h3 id="获取指令:GlossaryFetch_directive_Fetch_directives">获取指令:{{Glossary("Fetch directive", "Fetch directives")}}</h3> + +<p>通过获取指令来控制某些可能被加载的确切的资源类型的位置。</p> + +<dl> + <dt>{{CSP("child-src")}}</dt> + <dd><strong>child-src:</strong>为 <a href="/zh-CN/docs/Web/API/Web_Workers_API">web workers</a> 和其他内嵌浏览器内容(例如用{{HTMLElement("frame")}}和{{HTMLElement("iframe")}}加载到页面的内容)定义合法的源地址。</dd> + <dt> + <div class="warning"> + <p>如果开发者希望管控内嵌浏览器内容和 web worker 应分别使用{{CSP("frame-src")}}和{{CSP("worker-src")}} 指令,来相对的取代 <code><strong>child-src</strong></code>。</p> + </div> + </dt> + <dt></dt> + <dt>{{CSP("connect-src")}}</dt> + <dd><strong>connect-src:</strong>限制能通过脚本接口加载的URL。</dd> + <dt>{{CSP("default-src")}}</dt> + <dd><strong>default-src:</strong>为其他取指令提供备用服务{{Glossary("Fetch directive", "fetch directives")}}。</dd> + <dt>{{CSP("font-src")}}</dt> + <dd><strong>font-src:</strong>设置允许通过{{cssxref("@font-face")}}加载的字体源地址。</dd> + <dt>{{CSP("frame-src")}}</dt> + <dd><strong>frame-src: </strong>设置允许通过类似{{HTMLElement("frame")}}和{{HTMLElement("iframe")}}标签加载的内嵌内容的源地址。</dd> + <dt>{{CSP("img-src")}}</dt> + <dd><strong>img-src: </strong>限制图片和图标的源地址</dd> + <dt>{{CSP("manifest-src")}}</dt> + <dd><strong>manifest-src : </strong>限制应用声明文件的源地址。</dd> + <dt>{{CSP("media-src")}}</dt> + <dd><strong>media-src:</strong>限制通过{{HTMLElement("audio")}}、{{HTMLElement("video")}}或{{HTMLElement("track")}}标签加载的媒体文件的源地址。</dd> + <dt>{{CSP("object-src")}}</dt> + <dd><strong>object-src:</strong>限制{{HTMLElement("object")}}、{{HTMLElement("embed")}}、{{HTMLElement("applet")}}标签的源地址。</dd> +</dl> + +<div class="blockIndicator note"> +<p>被<code>object-src</code>控制的元素可能碰巧被当作遗留HTML元素,导致不支持新标准中的功能(例如<code><iframe></code>中的安全属性<code>sandbox</code>和<code>allow</code>)。因此<strong>建议</strong>限制该指令的使用(比如,如果可行,将<code>object-src</code>显式设置为<code>'none'</code>)。</p> +</div> + +<dl> + <dt>{{CSP("prefetch-src")}} </dt> + <dd>指定预加载或预渲染的允许源地址。</dd> + <dt>{{CSP("script-src")}}</dt> + <dd>限制JavaScript的源地址。</dd> + <dt>{{CSP("style-src")}}</dt> + <dd>限制层叠样式表文件源。</dd> + <dt>{{CSP("webrtc-src")}} {{experimental_inline}}</dt> + <dd>指定<a href="https://developer.mozilla.org/docs/Web/API/WebRTC_API">WebRTC</a>连接的合法源地址。</dd> + <dt>{{CSP("worker-src")}}</dt> + <dd>限制{{domxref("Worker")}}、{{domxref("SharedWorker")}}或者{{domxref("ServiceWorker")}}脚本源。</dd> +</dl> + +<h3 id="文档指令_Document_directives">文档指令 | Document directives</h3> + +<p>文档指令管理文档属性或者worker环境应用的策略。</p> + +<dl> + <dt>{{CSP("base-uri")}}</dt> + <dd>限制在DOM中{{HTMLElement("base")}}元素可以使用的URL。</dd> + <dt>{{CSP("plugin-types")}}</dt> + <dd>通过限制可以加载的资源类型来限制哪些插件可以被嵌入到文档中。</dd> + <dt>{{CSP("sandbox")}}</dt> + <dd>类似{{HTMLElement("iframe")}} {{htmlattrxref("sandbox", "iframe")}}属性,为请求的资源启用沙盒。</dd> + <dt>{{CSP("disown-opener")}} {{obsolete_inline}}</dt> + <dd>确保资源在导航的时候能够脱离父页面。(windown.opener 对象)Ensures a resource will disown its opener when navigated to.</dd> +</dl> + +<h3 id="导航指令_Navigation_directives">导航指令 | Navigation directives</h3> + +<p>导航指令管理用户能打开的链接或者表单可提交的链接</p> + +<dl> + <dt>{{CSP("form-action")}}</dt> + <dd>限制能被用来作为给定上下文的表单提交的目标 URL(说白了,就是限制 form 的 action 属性的链接地址)</dd> + <dt>{{CSP("frame-ancestors")}}</dt> + <dd>指定可能嵌入页面的有效父项{{HTMLElement("frame")}}, {{HTMLElement("iframe")}}, {{HTMLElement("object")}}, {{HTMLElement("embed")}}, or {{HTMLElement("applet")}}.</dd> + <dt>{{CSP("navigation-to")}} {{experimental_inline}}</dt> + <dd>限制文档可以通过以下任何方式访问URL (a, form, window.location, window.open, etc.)</dd> +</dl> + +<h3 id="报告指令">报告指令</h3> + +<p>报告指令控制 CSP 违规的报告过程. 更多请看 {{HTTPHeader("Content-Security-Policy-Report-Only")}} 报头.</p> + +<dl> + <dt>{{CSP("report-uri")}} {{deprecated_inline}}</dt> + <dd>当出现可能违反CSP的操作时,让客户端提交报告。这些违规报告会以JSON文件的格式通过POST请求发送到指定的URI</dd> + <dt>{{CSP("report-to")}} {{experimental_inline}}</dt> + <dd>Fires a <code>SecurityPolicyViolationEvent</code>.</dd> +</dl> + +<h3 id="其他指令_Other_directives">其他指令 | Other directives</h3> + +<dl> + <dt>{{CSP("block-all-mixed-content")}}</dt> + <dd>当使用HTTPS加载页面时阻止使用HTTP加载任何资源。</dd> + <dt>{{CSP("referrer")}} {{obsolete_inline}}</dt> + <dd>用来指定会离开当前页面的跳转链接的 referer header 信息。应该使用 {{HTTPHeader("Referrer-Policy")}} 替代。</dd> + <dt>{{CSP("require-sri-for")}}</dt> + <dd>需要使用 {{Glossary("SRI")}} 作用于页面上的脚本或样式。</dd> + <dt>{{CSP("upgrade-insecure-requests")}}</dt> + <dd>让浏览器把一个网站所有的不安全 URL(通过 HTTP 访问)当做已经被安全的 URL 链接(通过 HTTPS 访问)替代。这个指令是为了哪些有量大不安全的传统 URL 需要被重写时候准备的。</dd> +</dl> + +<h2 id="CSP_和_Workers">CSP 和 Workers</h2> + +<p><a href="/en-US/docs/Web/API/Worker">Workers</a> 一般来说不被创建他的文档(或者父级Worker)的CSP策略管理。如果要为Worker指定CSP策略,可以为Worker脚本的请求的响应的头部设置CSP策略。 </p> + +<p>例外的情况是,如果Worker脚本的来源是一个全局唯一ID(比如,它的URL是一个结构化的数据或者BLOB)。在这种情况下,这个Worker会继承它所属的文档或者创建它的Worker的CSP策略。</p> + +<h2 id="多内容安全策略">多内容安全策略</h2> + +<p>CSP 允许在一个资源中指定多个策略, 包括通过 <code>Content-Security-Policy</code> 头, 以及 {{HTTPHeader("Content-Security-Policy-Report-Only")}} 头,和 {{HTMLElement("meta")}} 组件。</p> + +<p>你可以像以下实例一样多次调用 <code>Content-Security-Policy</code> 头。 特别注意这里的 {{CSP("connect-src")}} 指令。 尽管第二个策略允许连接, 第一个策略仍然包括了 <code>connect-src 'none'</code>。添加了附加的策略后,只会让资源保护的能力更强,也就是说不会有接口可以被允许访问,等同于最严格的策略,<code>connect-src 'none'</code> 强制开启。</p> + +<pre>Content-Security-Policy: default-src 'self' http://example.com; + connect-src 'none'; +Content-Security-Policy: connect-src http://example.com/; + script-src http://example.com/</pre> + +<h2 id="示例">示例</h2> + +<p>示例: 禁用不安全的内联/动态执行, 只允许通过 https加载这些资源 (images, fonts, scripts, etc.)</p> + +<pre>// header +Content-Security-Policy: default-src https: + +// meta tag +<meta http-equiv="Content-Security-Policy" content="default-src https:"> +</pre> + +<p>示例: 已经存在的一个网站,用了太多内联代码修复问题,而且想确保资源只从 https 加载,并且禁止插件:</p> + +<pre>Content-Security-Policy: default-src https: 'unsafe-eval' 'unsafe-inline'; object-src 'none'</pre> + +<p>实例:还没有开始实施上面的策略;相反,只是开始上报可能会发生违反安全策略的行为:</p> + +<pre>Content-Security-Policy-Report-Only: default-src https:; report-uri /csp-violation-report-endpoint/</pre> + +<p>查看 <a href="https://wiki.mozilla.org/Security/Guidelines/Web_Security#Examples_5">Mozilla Web Security Guidelines</a> 上的更多例子.</p> + +<h2 id="规范">规范</h2> + +<table class="standard-table"> + <tbody> + <tr> + <th scope="col">规范</th> + <th scope="col">状态</th> + <th scope="col">注释</th> + </tr> + <tr> + <td>{{specName("CSP 3.0")}}</td> + <td>{{Spec2('CSP 3.0')}}</td> + <td>Adds <code>disown-opener</code>, <code>manifest-src</code>, <code>navigation-to</code>, <code>report-uri</code>, <code>strict-dynamic</code>, <code>worker-src</code>. Undeprecates <code>frame-src</code>. Deprecates report-uri in favor if <code>report-to</code>.</td> + </tr> + <tr> + <td>{{specName("Mixed Content")}}</td> + <td>{{Spec2('Mixed Content')}}</td> + <td>Adds <code>block-all-mixed-content</code>.</td> + </tr> + <tr> + <td>{{specName("Subresource Integrity")}}</td> + <td>{{Spec2('Subresource Integrity')}}</td> + <td>Adds <code>require-sri-for</code>.</td> + </tr> + <tr> + <td>{{specName("Upgrade Insecure Requests")}}</td> + <td>{{Spec2('Upgrade Insecure Requests')}}</td> + <td>Adds <code>upgrade-insecure-requests</code>.</td> + </tr> + <tr> + <td>{{specName("CSP 1.1")}}</td> + <td>{{Spec2('CSP 1.1')}}</td> + <td>Adds <code>base-uri</code>, <code>child-src</code>, <code>form-action</code>, <code>frame-ancestors</code>, <code>plugin-types</code>, <code>referrer</code>, <code>reflected-xss</code>, and <code>report-uri</code>. Deprecates <code>frame-src</code>.</td> + </tr> + <tr> + <td>{{specName("CSP 1.0")}}</td> + <td>{{Spec2('CSP 1.0')}}</td> + <td>Defines <code>connect-src</code>, <code>default-src</code>, <code>font-src</code>, <code>frame-src</code>, <code>img-src</code>, <code>media-src</code>, <code>object-src</code>, report-uri, <code>sandbox</code>, <code>script-src,</code> and <code>style-src</code>.</td> + </tr> + </tbody> +</table> + +<h2 id="浏览器兼容性">浏览器兼容性</h2> + +<p class="hidden">The compatibility table in this page is generated from structured data. If you'd like to contribute to the data, please check out <a href="https://github.com/mdn/browser-compat-data">https://github.com/mdn/browser-compat-data</a> and send us a pull request.</p> + +<p>{{Compat("http/headers/content-security-policy", "Content-Security-Policy")}}</p> + +<h2 id="参见">参见</h2> + +<ul> + <li>{{HTTPHeader("Content-Security-Policy-Report-Only")}}</li> + <li><a href="/en-US/docs/Mozilla/Add-ons/WebExtensions/Content_Security_Policy">Content Security in WebExtensions</a></li> + <li> + <p><a href="/en-US/docs/Tools/GCLI/Display_security_and_privacy_policies">Display security and privacy policies In Firefox Developer Tools</a></p> + </li> +</ul> diff --git a/files/zh-cn/web/http/headers/content-security-policy/report-to/index.html b/files/zh-cn/web/http/headers/content-security-policy/report-to/index.html new file mode 100644 index 0000000000..9789e2363d --- /dev/null +++ b/files/zh-cn/web/http/headers/content-security-policy/report-to/index.html @@ -0,0 +1,82 @@ +--- +title: report-to +slug: Web/HTTP/Headers/Content-Security-Policy/report-to +translation_of: Web/HTTP/Headers/Content-Security-Policy/report-to +--- +<p><dfn><code>Report-To</code></dfn> HTTP响应头部指示客户端存储特定域名的报告端点。</p> + +<pre>Content-Security-Policy: ...; report-to groupname +</pre> + +<p>该指令本身没有任何影响,仅与其他指令结合起来才有意义。</p> + +<table> + <tbody> + <tr> + <th scope="row">CSP version</th> + <td>1</td> + </tr> + <tr> + <th scope="row">指令类型</th> + <td>{{Glossary("Reporting directive")}}</td> + </tr> + <tr> + <th colspan="2" scope="row"> + <p>{{HTMLElement("meta")}} <span style="font-style: inherit; font-weight: inherit;">元素并不支持该指令</span></p> + </th> + </tr> + </tbody> +</table> + +<p> </p> + +<h2 id="Syntax">Syntax</h2> + +<p> </p> + +<pre>Content-Security-Policy: report-to <json-field-value>;</pre> + +<h2 id="Examples">Examples</h2> + +<p>可以查看{{HTTPHeader("Content-Security-Policy-Report-Only")}}获取更多信息和示例。</p> + +<pre><a href="http://wicg.github.io/reporting/#report-to" id="ref-for-report-to①">Report-To</a>: { "<a href="http://wicg.github.io/reporting/#group" id="ref-for-group①">group</a>": "csp-endpoint", + "<a href="http://wicg.github.io/reporting/#max-age" id="ref-for-max-age①">max-age</a>": 10886400, + "<a href="http://wicg.github.io/reporting/#endpoints" id="ref-for-endpoints②">endpoints</a>": [ + { "<a href="http://wicg.github.io/reporting/#url" id="ref-for-url②">url</a>": "https://example.com/csp-reports" } + ] }, + { "<a href="http://wicg.github.io/reporting/#group" id="ref-for-group②">group</a>": "hpkp-endpoint", + "<a href="http://wicg.github.io/reporting/#max-age" id="ref-for-max-age②">max-age</a>": 10886400, + "<a href="http://wicg.github.io/reporting/#endpoints" id="ref-for-endpoints③">endpoints</a>": [ + { "<a href="http://wicg.github.io/reporting/#url" id="ref-for-url③">url</a>": "https://example.com/hpkp-reports" } + ] } +<a href="https://w3c.github.io/webappsec-csp/#content-security-policy" id="ref-for-content-security-policy①">Content-Security-Policy</a>: ...; <a href="https://w3c.github.io/webappsec-csp/#directives-reporting" id="ref-for-directives-reporting①">report-to</a> csp-endpoint +</pre> + +<p> </p> + +<pre><a href="http://wicg.github.io/reporting/#report-to" id="ref-for-report-to">Report-To</a>: { "<a href="http://wicg.github.io/reporting/#group" id="ref-for-group">group</a>": "endpoint-1", + "<a href="http://wicg.github.io/reporting/#max-age" id="ref-for-max-age">max-age</a>": 10886400, + "<a href="http://wicg.github.io/reporting/#endpoints" id="ref-for-endpoints①">endpoints</a>": [ + { "<a href="http://wicg.github.io/reporting/#url" id="ref-for-url">url</a>": "https://example.com/reports" }, + { "<a href="http://wicg.github.io/reporting/#url" id="ref-for-url①">url</a>": "https://backup.com/reports" } + ] } + +<a href="https://w3c.github.io/webappsec-csp/#content-security-policy" id="ref-for-content-security-policy">Content-Security-Policy</a>: ...; <a href="https://w3c.github.io/webappsec-csp/#directives-reporting" id="ref-for-directives-reporting">report-to</a> endpoint-1</pre> + +<p> </p> + +<p>Browser compatibility</p> + +<p>The compatibility table in this page is generated from structured data. If you'd like to contribute to the data, please check out <a href="https://github.com/mdn/browser-compat-data">https://github.com/mdn/browser-compat-data</a> and send us a pull request.</p> + +<p>{{Compat("http.headers.csp.report-to")}}</p> + +<h2 id="See_also">See also</h2> + +<ul> + <li>{{HTTPHeader("Content-Security-Policy")}}</li> + <li>{{HTTPHeader("Content-Security-Policy-Report-Only")}}</li> +</ul> + +<p> </p> diff --git a/files/zh-cn/web/http/headers/content-security-policy/require-sri-for/index.html b/files/zh-cn/web/http/headers/content-security-policy/require-sri-for/index.html new file mode 100644 index 0000000000..0c79f8e21b --- /dev/null +++ b/files/zh-cn/web/http/headers/content-security-policy/require-sri-for/index.html @@ -0,0 +1,70 @@ +--- +title: 'CSP: require-sri-for' +slug: Web/HTTP/Headers/Content-Security-Policy/require-sri-for +translation_of: Web/HTTP/Headers/Content-Security-Policy/require-sri-for +--- +<div>{{HTTPSidebar}}</div> + +<p>HTTP协议 {{HTTPHeader("Content-Security-Policy")}}头部的require-sri-for指令指示客户端在页面上对脚本或样式使用子资源完整性策略。</p> + +<h2 id="Syntax">Syntax</h2> + +<pre class="syntaxbox">Content-Security-Policy: require-sri-for script; +Content-Security-Policy: require-sri-for style; +Content-Security-Policy: require-sri-for script style; +</pre> + +<dl> + <dt><code>script</code></dt> + <dd>要求脚本符合{{Glossary("SRI")}}。</dd> + <dt><code>style</code></dt> + <dd>要求样式资源满足 {{Glossary("SRI")}}。</dd> + <dt><code>script style</code></dt> + <dd>要求脚本和样式资源都满足{{Glossary("SRI")}}。</dd> +</dl> + +<h2 id="Examples">Examples</h2> + +<p>如果你通过如下指令将站点设置为要求脚本和资源满足SRI策略: </p> + +<pre>Content-Security-Policy: require-sri-for script style</pre> + +<p>{{HTMLElement("script")}} 元素会被加载,因为它们拥有有效的完整性属性。</p> + +<pre class="brush: html; example-good"><script src="https://code.jquery.com/jquery-3.1.1.slim.js" + integrity="sha256-5i/mQ300M779N2OVDrl16lbohwXNUdzL/R2aVUXyXWA=" + crossorigin="anonymous"></script></pre> + +<p>但是,没有完整性属性的脚本将不会再加载:</p> + +<pre class="brush: html; example-bad"><script src="https://code.jquery.com/jquery-3.1.1.slim.js"></script></pre> + +<h2 id="Specifications">Specifications</h2> + +<table class="standard-table"> + <tbody> + <tr> + <th scope="col">Specification</th> + <th scope="col">Status</th> + <th scope="col">Comment</th> + </tr> + <tr> + <td>{{specName("Subresource Integrity", "#opt-in-require-sri-for", "require-sri-for")}}</td> + <td>{{Spec2('Subresource Integrity')}}</td> + <td>Initial definition.</td> + </tr> + </tbody> +</table> + +<h2 id="Browser_compatibility">Browser compatibility</h2> + +<p class="hidden">The compatibility table in this page is generated from structured data. If you'd like to contribute to the data, please check out <a href="https://github.com/mdn/browser-compat-data">https://github.com/mdn/browser-compat-data</a> and send us a pull request.</p> + +<p>{{Compat("http.headers.csp.require-sri-for")}}</p> + +<h2 id="See_also">See also</h2> + +<ul> + <li>{{HTTPHeader("Content-Security-Policy")}}</li> + <li><a href="/en-US/docs/Web/Security/Subresource_Integrity">Subresource Integrity</a></li> +</ul> diff --git a/files/zh-cn/web/http/headers/content-security-policy/sandbox/index.html b/files/zh-cn/web/http/headers/content-security-policy/sandbox/index.html new file mode 100644 index 0000000000..7420675567 --- /dev/null +++ b/files/zh-cn/web/http/headers/content-security-policy/sandbox/index.html @@ -0,0 +1,99 @@ +--- +title: 'CSP: sandbox' +slug: Web/HTTP/Headers/Content-Security-Policy/sandbox +tags: + - CSP + - XSS防御 + - http头 + - 安全 +translation_of: Web/HTTP/Headers/Content-Security-Policy/sandbox +--- +<div>{{HTTPSidebar}}</div> + +<p>The HTTP {{HTTPHeader("Content-Security-Policy")}} (CSP) <code><strong>sandbox</strong></code> directive enables a sandbox for the requested resource similar to the {{HTMLElement("iframe")}} {{htmlattrxref("sandbox", "iframe")}} attribute. It applies restrictions to a page's actions including preventing popups, preventing the execution of plugins and scripts, and enforcing a same-origin policy.</p> + +<table class="properties"> + <tbody> + <tr> + <th scope="row">CSP version</th> + <td>1.1 / 2</td> + </tr> + <tr> + <th scope="row">Directive type</th> + <td>{{Glossary("Document directive")}}</td> + </tr> + <tr> + <th colspan="2" scope="row">This directive is not supported in the {{HTMLElement("meta")}} element or by the {{HTTPHeader("Content-Security-policy-Report-Only")}} header field.</th> + </tr> + </tbody> +</table> + +<h2 id="句法"><font><font>句法</font></font></h2> + +<pre class="syntaxbox">Content-Security-Policy: sandbox; +Content-Security-Policy: sandbox <value>; +</pre> + +<p><code><value></code><font><font>可以选择是以下值之一:</font></font></p> + +<dl> + <dt><code>allow-forms</code></dt> + <dd><font><font>允许嵌入式浏览上下文提交表单。</font><font>如果未使用此关键字,则不允许此操作。</font></font></dd> + <dt><code>allow-modals</code></dt> + <dd><font><font>允许嵌入式浏览上下文打开模态窗口。</font></font></dd> + <dt><code>allow-orientation-lock</code></dt> + <dd>允许嵌入式浏览上下文禁用锁定屏幕方向的功能。</dd> + <dt><code>allow-pointer-lock</code></dt> + <dd><font><font>允许嵌入式浏览上下文使用</font></font><a href="https://developer.mozilla.org/en-US/docs/WebAPI/Pointer_Lock"><font><font>Pointer Lock API</font></font></a><font><font>。</font></font></dd> + <dt><code>allow-popups</code></dt> + <dd><font><font>允许弹出窗口(像</font></font><code>window.open</code><font><font>,</font></font><code>target="_blank"</code><font><font>,</font></font><code>showModalDialog</code><font><font>)。</font><font>如果未使用此关键字,则该功能将无提示失败。</font></font></dd> + <dt><code>allow-popups-to-escape-sandbox</code></dt> + <dd><font>允许沙盒文档打开新窗口而不强制沙盒标记。</font><font>例如,这将允许安全地沙箱化第三方广告,而不会对登陆页面施加相同的限制。</font></dd> + <dt><code>allow-presentation</code></dt> + <dd><font><font>允许嵌入器控制iframe是否可以启动演示会话。</font></font></dd> + <dt><code>allow-same-origin</code></dt> + <dd><font>允许将内容视为来自其正常来源。</font><font>如果未使用此关键字,则嵌入的内容将被视为来自唯一来源。</font></dd> + <dt><code>allow-scripts</code></dt> + <dd><font>允许嵌入式浏览上下文运行脚本(但不创建弹出窗口)。</font><font>如果未使用此关键字,则不允许此操作。</font></dd> + <dt><code>allow-top-navigation</code></dt> + <dd><font>允许嵌入式浏览上下文将内容导航(加载)到顶级浏览上下文。</font><font>如果未使用此关键字,则不允许此操作。</font></dd> +</dl> + +<h2 id="例子"><font><font>例子</font></font></h2> + +<pre class="brush: bash">Content-Security-Policy: sandbox allow-scripts;</pre> + +<h2 id="Specifications">Specifications</h2> + +<table class="standard-table"> + <tbody> + <tr> + <th scope="col">Specification</th> + <th scope="col">Status</th> + <th scope="col">Comment</th> + </tr> + <tr> + <td>{{specName("CSP 3.0", "#directive-sandbox", "sandbox")}}</td> + <td>{{Spec2('CSP 3.0')}}</td> + <td>No changes.</td> + </tr> + <tr> + <td>{{specName("CSP 1.1", "#directive-sandbox", "sandbox")}}</td> + <td>{{Spec2('CSP 1.1')}}</td> + <td>Initial definition.</td> + </tr> + </tbody> +</table> + +<h2 id="浏览器兼容性"><font><font>浏览器兼容性</font></font></h2> + +<p class="hidden">The compatibility table in this page is generated from structured data. If you'd like to contribute to the data, please check out <a href="https://github.com/mdn/browser-compat-data">https://github.com/mdn/browser-compat-data</a> and send us a pull request.</p> + +<p>{{Compat("http.headers.csp.sandbox")}}</p> + +<h2 id="See_also">See also</h2> + +<ul> + <li>{{HTTPHeader("Content-Security-Policy")}}</li> + <li>{{htmlattrxref("sandbox", "iframe")}} attribute on {{HTMLElement("iframe")}} elements</li> +</ul> diff --git a/files/zh-cn/web/http/headers/content-security-policy/script-src-elem/index.html b/files/zh-cn/web/http/headers/content-security-policy/script-src-elem/index.html new file mode 100644 index 0000000000..674e7bd9b0 --- /dev/null +++ b/files/zh-cn/web/http/headers/content-security-policy/script-src-elem/index.html @@ -0,0 +1,87 @@ +--- +title: 'CSP: script-src-elem' +slug: Web/HTTP/Headers/Content-Security-Policy/script-src-elem +translation_of: Web/HTTP/Headers/Content-Security-Policy/script-src-elem +--- +<div>{{HTTPSidebar}}</div> + +<p>HTTP协议中 {{HTTPHeader("Content-Security-Policy")}} (CSP) <code><strong>script-src-elem</strong></code> 指示符明指定了合法的js要素来源 {{HTMLElement("script")}} ,但是不包括类似onclick这样的事件处理器中包含的内联脚本。</p> + +<table class="properties"> + <tbody> + <tr> + <th scope="row">CSP 版本</th> + <td>3</td> + </tr> + <tr> + <th scope="row">Directive type</th> + <td>{{Glossary("Fetch directive")}}</td> + </tr> + <tr> + <th scope="row">{{CSP("default-src")}} fallback</th> + <td>Yes. If this directive is absent, the user agent will look for the {{CSP("script-src")}} directive, and if both of them are absent, fallback to <code>default-src</code> directive.</td> + </tr> + </tbody> +</table> + +<h2 id="语法">语法</h2> + +<p> <code>script-src-elem</code> 可以允许多个来源:</p> + +<pre class="syntaxbox notranslate">Content-Security-Policy: script-src-elem <source>; +Content-Security-Policy: script-src-elem <source> <source>; +</pre> + +<p><code>script-src-elem</code> 可以跟 {{CSP("script-src")}}一起用:</p> + +<pre class="syntaxbox notranslate">Content-Security-Policy: script-src <source>; +Content-Security-Policy: script-src-elem <source>; +</pre> + +<h3 id="Sources">Sources</h3> + +<p>{{page("Web/HTTP/Headers/Content-Security-Policy/default-src", "Sources")}}</p> + +<h2 id="范例">范例</h2> + +<h3 id="回退到_script-src">回退到 script-src</h3> + +<p>如果没有 <code>script-src-elem</code> 存在, 客户端会回退到 {{CSP("script-src")}} 指示符, 如果那个也还是没有那就回退到 {{CSP("default-src")}}。</p> + +<div class="hidden"> +<p>TODO: Add comprehensive examples.</p> +</div> + +<h2 id="细则">细则</h2> + +<table class="standard-table"> + <thead> + <tr> + <th scope="col">Specification</th> + <th scope="col">Status</th> + <th scope="col">Comment</th> + </tr> + </thead> + <tbody> + <tr> + <td>{{specName("CSP 3.0", "#directive-script-src-elem", "script-src-elem")}}</td> + <td>{{Spec2("CSP 3.0")}}</td> + <td>Initial definition.</td> + </tr> + </tbody> +</table> + +<h2 id="浏览器兼容问题">浏览器兼容问题</h2> + +<p class="hidden">The compatibility table in this page is generated from structured data. If you'd like to contribute to the data, please check out <a href="https://github.com/mdn/browser-compat-data">https://github.com/mdn/browser-compat-data</a> and send us a pull request.</p> + +<p>{{Compat("http.headers.csp.Content-Security-Policy.script-src-elem")}}</p> + +<h2 id="其他的链接">其他的链接</h2> + +<ul> + <li>{{HTTPHeader("Content-Security-Policy")}}</li> + <li>{{HTMLElement("script")}}</li> + <li>{{CSP("script-src")}}</li> + <li>{{CSP("script-src-attr")}}</li> +</ul> diff --git a/files/zh-cn/web/http/headers/content-security-policy/upgrade-insecure-requests/index.html b/files/zh-cn/web/http/headers/content-security-policy/upgrade-insecure-requests/index.html new file mode 100644 index 0000000000..68eb2c5036 --- /dev/null +++ b/files/zh-cn/web/http/headers/content-security-policy/upgrade-insecure-requests/index.html @@ -0,0 +1,84 @@ +--- +title: 'CSP: upgrade-insecure-requests' +slug: Web/HTTP/Headers/Content-Security-Policy/upgrade-insecure-requests +translation_of: Web/HTTP/Headers/Content-Security-Policy/upgrade-insecure-requests +--- +<div>{{HTTPSidebar}}</div> + +<p> </p> + +<p>HTTP {{HTTPHeader("Content-Security-Policy")}} (CSP) <code><strong>upgrade-insecure-requests</strong></code>指令指示客户端将该站点的所有不安全URL(通过HTTP提供的URL)视为已被替换为安全URL(通过HTTPS提供的URL)。该指令适用于需要重写大量不安全的旧版URL的网站。</p> + +<p><code>upgrade-insecure-requests</code>指令在 {{CSP("block-all-mixed-content")}} 之前被执行,如果其被设置,后者实际上是空操作。可以设置其中一个,但不能同时设置。</p> + +<p>The <code>upgrade-insecure-requests</code> directive will not ensure that users visiting your site via links on third-party sites will be upgraded to HTTPS for the top-level navigation and thus does not replace the {{HTTPHeader("Strict-Transport-Security")}} ({{Glossary("HSTS")}}) header, which should still be set with an appropriate <code>max-age</code> to ensure that users are not subject to SSL stripping attacks.</p> + +<h2 id="Syntax">Syntax</h2> + +<pre class="syntaxbox">Content-Security-Policy: upgrade-insecure-requests;</pre> + +<h2 id="Examples">Examples</h2> + +<pre>// header +Content-Security-Policy: upgrade-insecure-requests; + +// meta tag +<meta http-equiv="Content-Security-Policy" content="upgrade-insecure-requests"> +</pre> + +<p>一旦将上述头部设置在计划从HTTP迁移到HTTPS的example.com域名上, 非跳转(non-navigational)的不安全资源请求会自动升级到HTTPS(包括第当前域名以及第三方请求)。</p> + +<pre class="brush: html"><img src="http://example.com/image.png"> +<img src="http://not-example.com/image.png"></pre> + +<p>这些URL在请求发送之前都会被改写成HTTPS,也就意味着不安全的请求都不会发送出去。注意,如果请求的资源在HTTPS情况下不可用,则该请求将失败, 其也不能回退到HTTP。</p> + +<pre class="brush: html"><img src="https://example.com/image.png"> +<img src="https://not-example.com/image.png"></pre> + +<p>Navigational upgrades to third-party resources brings a significantly higher potential for breakage, these are not upgraded:</p> + +<pre class="brush: html"><a href="https://example.com/">Home</a> +<a href="http://not-example.com/">Home</a></pre> + +<h3 id="Finding_insecure_requests">Finding insecure requests</h3> + +<p>通过 {{HTTPHeader("Content-Security-Policy-Report-Only")}} HTTP头部和 {{CSP("report-uri")}} 指令,您可以设置执行策略和报告策略,如下所示:</p> + +<pre>Content-Security-Policy: upgrade-insecure-requests; default-src https: +Content-Security-Policy-Report-Only: default-src https:; report-uri /endpoint</pre> + +<p>That way, you still upgrade insecure requests on your secure site, but the only monitoring policy is violated and reports insecure resources to your endpoint.</p> + +<h2 id="Specifications">Specifications</h2> + +<table class="standard-table"> + <tbody> + <tr> + <th scope="col">Specification</th> + <th scope="col">Status</th> + <th scope="col">Comment</th> + </tr> + <tr> + <td>{{specName("Upgrade Insecure Requests", "#delivery", "upgrade-insecure-requests")}}</td> + <td>{{Spec2('Upgrade Insecure Requests')}}</td> + <td>Initial definition.</td> + </tr> + </tbody> +</table> + +<h2 id="Browser_compatibility">Browser compatibility</h2> + +<p class="hidden">The compatibility table in this page is generated from structured data. If you'd like to contribute to the data, please check out <a href="https://github.com/mdn/browser-compat-data">https://github.com/mdn/browser-compat-data</a> and send us a pull request.</p> + +<p>{{Compat("http.headers.csp.upgrade-insecure-requests")}}</p> + +<h2 id="See_also">See also</h2> + +<ul> + <li>{{HTTPHeader("Content-Security-Policy")}}</li> + <li>{{HTTPHeader("Upgrade-Insecure-Requests")}} header</li> + <li>{{HTTPHeader("Strict-Transport-Security")}} ({{Glossary("HSTS")}}) header</li> + <li>{{CSP("block-all-mixed-content")}}</li> + <li><a href="/en-US/docs/Web/Security/Mixed_content">Mixed content</a></li> +</ul> diff --git a/files/zh-cn/web/http/headers/content-security-policy/worker-src/index.html b/files/zh-cn/web/http/headers/content-security-policy/worker-src/index.html new file mode 100644 index 0000000000..538dfea028 --- /dev/null +++ b/files/zh-cn/web/http/headers/content-security-policy/worker-src/index.html @@ -0,0 +1,92 @@ +--- +title: 'CSP: worker-src' +slug: Web/HTTP/Headers/Content-Security-Policy/worker-src +translation_of: Web/HTTP/Headers/Content-Security-Policy/worker-src +--- +<div>{{HTTPSidebar}}</div> + +<p>The HTTP {{HTTPHeader("Content-Security-Policy")}} (CSP) <code><strong>worker-src</strong></code> directive specifies valid sources for {{domxref("Worker")}}, {{domxref("SharedWorker")}}, or {{domxref("ServiceWorker")}} scripts.</p> + +<table class="properties"> + <tbody> + <tr> + <th scope="row">CSP version</th> + <td>3</td> + </tr> + <tr> + <th scope="row">Directive type</th> + <td>{{Glossary("Fetch directive")}}</td> + </tr> + <tr> + <th scope="row">Fallback</th> + <td> + <p>If this directive is absent, the user agent will first look for the {{CSP("child-src")}} directive, then the {{CSP("script-src")}} directive, then finally for the {{CSP("default-src")}} directive, when governing worker execution.</p> + + <p>Chrome 59 and higher skips the {{CSP("child-src")}} directive.</p> + + <p>Edge 17 skips the {{CSP("script-src")}} directive (<a href="https://developer.microsoft.com/en-us/microsoft-edge/platform/issues/17415478/">bug</a>).</p> + </td> + </tr> + </tbody> +</table> + +<h2 id="Syntax">Syntax</h2> + +<p>One or more sources can be allowed for the <code>worker-src</code> policy:</p> + +<pre class="syntaxbox notranslate">Content-Security-Policy: worker-src <source>; +Content-Security-Policy: worker-src <source> <source>; +</pre> + +<h3 id="Sources">Sources</h3> + +<p>{{page("Web/HTTP/Headers/Content-Security-Policy/connect-src", "Sources")}}</p> + +<h2 id="Examples">Examples</h2> + +<h3 id="Violation_cases">Violation cases</h3> + +<p>Given this CSP header:</p> + +<pre class="brush: bash notranslate">Content-Security-Policy: worker-src https://example.com/</pre> + +<p>{{domxref("Worker")}}, {{domxref("SharedWorker")}}, {{domxref("ServiceWorker")}} are blocked and won't load:</p> + +<pre class="brush: html notranslate"><script> + var blockedWorker = new Worker("data:application/javascript,..."); + blockedWorker = new SharedWorker("https://not-example.com/"); + navigator.serviceWorker.register('https://not-example.com/sw.js'); +</script></pre> + +<h2 id="Specifications">Specifications</h2> + +<table class="standard-table"> + <thead> + <tr> + <th scope="col">Specification</th> + <th scope="col">Status</th> + <th scope="col">Comment</th> + </tr> + </thead> + <tbody> + <tr> + <td>{{specName("CSP 3.0", "#directive-worker-src", "worker-src")}}</td> + <td>{{Spec2('CSP 3.0')}}</td> + <td>Initial definition.</td> + </tr> + </tbody> +</table> + +<h2 id="Browser_compatibility">Browser compatibility</h2> + +<p class="hidden">The compatibility table in this page is generated from structured data. If you'd like to contribute to the data, please check out <a href="https://github.com/mdn/browser-compat-data">https://github.com/mdn/browser-compat-data</a> and send us a pull request.</p> + +<p>{{Compat("http.headers.csp.Content-Security-Policy.worker-src")}}</p> + +<h2 id="See_also">See also</h2> + +<ul> + <li>{{HTTPHeader("Content-Security-Policy")}}</li> + <li><a href="/docs/Web/API/Web_Workers_API/Using_web_workers#Content_security_policy">CSP for Web Workers</a></li> + <li>{{domxref("Worker")}}, {{domxref("SharedWorker")}}, {{domxref("ServiceWorker")}}</li> +</ul> |