diff options
Diffstat (limited to 'files/zh-cn/web/http/headers/x-xss-protection/index.html')
| -rw-r--r-- | files/zh-cn/web/http/headers/x-xss-protection/index.html | 84 |
1 files changed, 84 insertions, 0 deletions
diff --git a/files/zh-cn/web/http/headers/x-xss-protection/index.html b/files/zh-cn/web/http/headers/x-xss-protection/index.html new file mode 100644 index 0000000000..2c7bcc3086 --- /dev/null +++ b/files/zh-cn/web/http/headers/x-xss-protection/index.html @@ -0,0 +1,84 @@ +--- +title: X-XSS-Protection +slug: Web/HTTP/Headers/X-XSS-Protection +tags: + - X-XSS-Protection + - 跨站脚本攻击 +translation_of: Web/HTTP/Headers/X-XSS-Protection +--- +<div>{{HTTPSidebar}}</div> + +<p>HTTP <strong><code>X-XSS-Protection</code></strong> 响应头是 Internet Explorer,Chrome 和 Safari 的一个特性,当检测到跨站脚本攻击 ({{Glossary("XSS")}})时,浏览器将停止加载页面。若网站设置了良好的 {{HTTPHeader("Content-Security-Policy")}} 来禁用内联 JavaScript (<code>'unsafe-inline'</code>),现代浏览器不太需要这些保护, 但其仍然可以为尚不支持 {{Glossary("CSP")}} 的旧版浏览器的用户提供保护。</p> + +<table class="properties"> + <tbody> + <tr> + <th scope="row">Header type</th> + <td>{{Glossary("Response header")}}</td> + </tr> + <tr> + <th scope="row">{{Glossary("Forbidden header name")}}</th> + <td>no</td> + </tr> + </tbody> +</table> + +<h2 id="语法">语法</h2> + +<pre class="syntaxbox notranslate">X-XSS-Protection: 0 +X-XSS-Protection: 1 +X-XSS-Protection: 1; mode=block +X-XSS-Protection: 1; report=<reporting-uri> +</pre> + +<dl> + <dt>0</dt> + <dd>禁止XSS过滤。</dd> + <dt>1</dt> + <dd>启用XSS过滤(通常浏览器是默认的)。 如果检测到跨站脚本攻击,浏览器将清除页面(删除不安全的部分)。</dd> + <dt>1;mode=block</dt> + <dd>启用XSS过滤。 如果检测到攻击,浏览器将不会清除页面,而是阻止页面加载。</dd> + <dt>1; report=<reporting-URI> (Chromium only)</dt> + <dd>启用XSS过滤。 如果检测到跨站脚本攻击,浏览器将清除页面并使用CSP {{CSP("report-uri")}}指令的功能发送违规报告。</dd> +</dl> + +<h2 id="范例">范例</h2> + +<p>当检测到XSS攻击时阻止页面加载:</p> + +<pre class="brush: bash notranslate">X-XSS-Protection: 1;mode=block</pre> + +<p>PHP</p> + +<pre class="brush: php notranslate">header("X-XSS-Protection: 1; mode=block");</pre> + +<p>Apache (.htaccess)</p> + +<pre class="brush: bash notranslate"><IfModule mod_headers.c> + Header set X-XSS-Protection "1; mode=block" +</IfModule></pre> + +<p>Nginx</p> + +<pre class="brush: bash notranslate">add_header "X-XSS-Protection" "1; mode=block";</pre> + +<h2 id="规范">规范</h2> + +<p>不属于任何一个规范或草案的一部分。</p> + +<h2 id="浏览器兼容性">浏览器兼容性</h2> + +<p class="hidden">The compatibility table in this page is generated from structured data. If you'd like to contribute to the data, please check out <a href="https://github.com/mdn/browser-compat-data">https://github.com/mdn/browser-compat-data</a> and send us a pull request.</p> + +<p>{{Compat("http.headers.X-XSS-Protection")}}</p> + +<h2 id="了解更多">了解更多</h2> + +<ul> + <li>{{HTTPHeader("Content-Security-Policy")}}</li> + <li><a href="https://blogs.msdn.microsoft.com/ieinternals/2011/01/31/controlling-the-xss-filter/">Controlling the XSS Filter – Microsoft</a></li> + <li><a href="https://www.virtuesecurity.com/blog/understanding-xss-auditor/">Understanding XSS Auditor – Virtue Security</a></li> + <li> + <p><a href="http://blog.innerht.ml/the-misunderstood-x-xss-protection/">The misunderstood X-XSS-Protection – blog.innerht.ml</a></p> + </li> +</ul> |