diff options
Diffstat (limited to 'files/zh-cn/web/http/headers/content-security-policy/connect-src/index.html')
| -rw-r--r-- | files/zh-cn/web/http/headers/content-security-policy/connect-src/index.html | 114 |
1 files changed, 114 insertions, 0 deletions
diff --git a/files/zh-cn/web/http/headers/content-security-policy/connect-src/index.html b/files/zh-cn/web/http/headers/content-security-policy/connect-src/index.html new file mode 100644 index 0000000000..3951f7ee6b --- /dev/null +++ b/files/zh-cn/web/http/headers/content-security-policy/connect-src/index.html @@ -0,0 +1,114 @@ +--- +title: 'CSP: connect-src' +slug: Web/HTTP/Headers/Content-Security-Policy/connect-src +translation_of: Web/HTTP/Headers/Content-Security-Policy/connect-src +--- +<div>{{HTTPSidebar}}</div> + +<p>HTTP协议头部{{HTTPHeader("Content-Security-Policy")}} (CSP)的<code><strong>connect</strong></code><strong><code>-src</code></strong> 指令用于控制允许通过脚本接口加载的链接地址。其中受到影响的API如下: </p> + +<ul> + <li>{{HTMLElement("a")}} {{htmlattrxref("ping", "a")}},</li> + <li>{{domxref("Fetch")}},</li> + <li>{{domxref("XMLHttpRequest")}},</li> + <li>{{domxref("WebSocket")}}, and</li> + <li>{{domxref("EventSource")}}.</li> +</ul> + +<table class="properties"> + <tbody> + <tr> + <th scope="row">CSP version</th> + <td>1</td> + </tr> + <tr> + <th scope="row">Directive type</th> + <td>{{Glossary("Fetch directive")}}</td> + </tr> + <tr> + <th scope="row">{{CSP("default-src")}} fallback</th> + <td>Yes. If this directive is absent, the user agent will look for the <code>default-src</code> directive.</td> + </tr> + </tbody> +</table> + +<h2 id="Syntax">Syntax</h2> + +<p>connect-src 可以设置一个或者多个源地址: </p> + +<pre class="syntaxbox">Content-Security-Policy: connect-src <source>; +Content-Security-Policy: connect-src <source> <source>; +</pre> + +<h3 id="Sources">Sources</h3> + +<p>{{page("/Web/HTTP/Headers/Content-Security-Policy/default-src", "Sources")}}</p> + +<h2 id="Examples">Examples</h2> + +<h3 id="Violation_cases">Violation cases</h3> + +<p>给定如下CSP头部: </p> + +<pre class="brush: bash">Content-Security-Policy: connect-src https://example.com/</pre> + +<p>如下的连接请求会被阻塞且不会加载: </p> + +<pre class="brush: html"><a ping="https://not-example.com"> + +<script> + var xhr = new XMLHttpRequest(); + xhr.open('GET', 'https://not-example.com/'); + xhr.send(); + + var ws = new WebSocket("https://not-example.com/"); + + var es = new EventSource("https://not-example.com/"); + + navigator.sendBeacon("https://not-example.com/", { ... }); +</script></pre> + +<h2 id="Specifications">Specifications</h2> + +<table class="standard-table"> + <tbody> + <tr> + <th scope="col">Specification</th> + <th scope="col">Status</th> + <th scope="col">Comment</th> + </tr> + <tr> + <td>{{specName("CSP 3.0", "#directive-connect-src", "connect-src")}}</td> + <td>{{Spec2('CSP 3.0')}}</td> + <td>No changes.</td> + </tr> + <tr> + <td>{{specName("CSP 1.1", "#directive-connect-src", "connect-src")}}</td> + <td>{{Spec2('CSP 1.1')}}</td> + <td>Initial definition.</td> + </tr> + </tbody> +</table> + +<h2 id="Browser_compatibility">Browser compatibility</h2> + +<p class="hidden">The compatibility table in this page is generated from structured data. If you'd like to contribute to the data, please check out <a href="https://github.com/mdn/browser-compat-data">https://github.com/mdn/browser-compat-data</a> and send us a pull request.</p> + +<p>{{Compat("http.headers.csp.connect-src")}}</p> + +<h2 id="Compatibility_notes">Compatibility notes</h2> + +<ul> + <li>Prior to Firefox 23, <code>xhr-src</code> was used in place of the <code>connect-src</code> directive and only restricted the use of {{domxref("XMLHttpRequest")}}.</li> +</ul> + +<h2 id="See_also">See also</h2> + +<ul> + <li>{{HTTPHeader("Content-Security-Policy")}}</li> + <li>{{HTMLElement("a")}} {{htmlattrxref("ping", "a")}}</li> + <li>{{domxref("Fetch")}}</li> + <li>{{domxref("XMLHttpRequest")}}</li> + <li>{{domxref("WebSocket")}}</li> + <li>{{domxref("EventSource")}}</li> +</ul> |