diff options
Diffstat (limited to 'files/zh-cn/web/http/headers/content-security-policy/child-src/index.html')
| -rw-r--r-- | files/zh-cn/web/http/headers/content-security-policy/child-src/index.html | 89 |
1 files changed, 89 insertions, 0 deletions
diff --git a/files/zh-cn/web/http/headers/content-security-policy/child-src/index.html b/files/zh-cn/web/http/headers/content-security-policy/child-src/index.html new file mode 100644 index 0000000000..6299b2768c --- /dev/null +++ b/files/zh-cn/web/http/headers/content-security-policy/child-src/index.html @@ -0,0 +1,89 @@ +--- +title: 'CSP: child-src' +slug: Web/HTTP/Headers/Content-Security-Policy/child-src +translation_of: Web/HTTP/Headers/Content-Security-Policy/child-src +--- +<div>{{HTTPSidebar}}</div> + +<p>The HTTP {{HTTPHeader("Content-Security-Policy")}} (CSP) <strong><code>child-src</code></strong> directive defines the valid sources for <a href="/en-US/docs/Web/API/Web_Workers_API">web workers</a> and nested <a id="002" name="002">browsing </a>contexts loaded using elements such as {{HTMLElement("frame")}} and {{HTMLElement("iframe")}}. For workers, non-compliant requests are treated as fatal network errors by the user agent.</p> + +<table class="properties"> + <tbody> + <tr> + <th scope="row">CSP version</th> + <td>2</td> + </tr> + <tr> + <th scope="row">Directive type</th> + <td>{{Glossary("Fetch directive")}}</td> + </tr> + <tr> + <th scope="row">{{CSP("default-src")}} fallback</th> + <td>Yes. If this directive is absent, the user agent will look for the <code>default-src</code> directive.</td> + </tr> + </tbody> +</table> + +<h2 id="Syntax">Syntax</h2> + +<p>One or more sources can be allowed for the child-src policy:</p> + +<pre class="syntaxbox">Content-Security-Policy: child-src <source>; +Content-Security-Policy: child-src <source> <source>; +</pre> + +<h3 id="Sources">Sources</h3> + +<p>{{page("Web/HTTP/Headers/Content-Security-Policy/connect-src", "Sources")}}</p> + +<h2 id="Examples">Examples</h2> + +<h3 id="Violation_cases">Violation cases</h3> + +<p>Given this CSP header:</p> + +<pre class="brush: bash">Content-Security-Policy: child-src https://example.com/</pre> + +<p>This {{HTMLElement("iframe")}} and worker are blocked and won't load:</p> + +<pre class="brush: html"><iframe src="https://not-example.com"></iframe> + +<script> + var blockedWorker = new Worker("data:application/javascript,..."); +</script></pre> + +<h2 id="Specifications">Specifications</h2> + +<table class="standard-table"> + <tbody> + <tr> + <th scope="col">Specification</th> + <th scope="col">Status</th> + <th scope="col">Comment</th> + </tr> + <tr> + <td>{{specName("CSP 3.0", "#directive-child-src", "child-src")}}</td> + <td>{{Spec2('CSP 3.0')}}</td> + <td>No changes.</td> + </tr> + <tr> + <td>{{specName("CSP 1.1", "#directive-child-srci", "child-src")}}</td> + <td>{{Spec2('CSP 1.1')}}</td> + <td>Initial definition.</td> + </tr> + </tbody> +</table> + +<h2 id="Browser_compatibility">Browser compatibility</h2> + +<p class="hidden">The compatibility table in this page is generated from structured data. If you'd like to contribute to the data, please check out <a href="https://github.com/mdn/browser-compat-data">https://github.com/mdn/browser-compat-data</a> and send us a pull request.</p> + +<p>{{Compat("http.headers.csp.Content-Security-Policy.child-src")}}</p> + +<h2 id="See_also">See also</h2> + +<ul> + <li>{{HTTPHeader("Content-Security-Policy")}}</li> + <li>{{HTMLElement("frame")}} and {{HTMLElement("iframe")}}</li> + <li>{{domxref("Worker")}}, {{domxref("SharedWorker")}}, {{domxref("ServiceWorker")}}</li> +</ul> |