From da78a9e329e272dedb2400b79a3bdeebff387d47 Mon Sep 17 00:00:00 2001 From: Peter Bengtsson Date: Tue, 8 Dec 2020 14:42:17 -0500 Subject: initial commit --- .../content-security-policy/default-src/index.html | 149 ++++++++++++ .../content-security-policy/img-src/index.html | 84 +++++++ .../headers/content-security-policy/index.html | 259 +++++++++++++++++++++ .../content-security-policy/report-to/index.html | 80 +++++++ .../content-security-policy/script-src/index.html | 167 +++++++++++++ 5 files changed, 739 insertions(+) create mode 100644 files/ko/web/http/headers/content-security-policy/default-src/index.html create mode 100644 files/ko/web/http/headers/content-security-policy/img-src/index.html create mode 100644 files/ko/web/http/headers/content-security-policy/index.html create mode 100644 files/ko/web/http/headers/content-security-policy/report-to/index.html create mode 100644 files/ko/web/http/headers/content-security-policy/script-src/index.html (limited to 'files/ko/web/http/headers/content-security-policy') diff --git a/files/ko/web/http/headers/content-security-policy/default-src/index.html b/files/ko/web/http/headers/content-security-policy/default-src/index.html new file mode 100644 index 0000000000..d3c21caf18 --- /dev/null +++ b/files/ko/web/http/headers/content-security-policy/default-src/index.html @@ -0,0 +1,149 @@ +--- +title: 'CSP: default-src' +slug: Web/HTTP/Headers/Content-Security-Policy/default-src +translation_of: Web/HTTP/Headers/Content-Security-Policy/default-src +--- +
+

{{HTTPSidebar}}

+ +

HTTP {{HTTPHeader("Content-Security-Policy")}} (CSP) default-src 구문은 다른  CSP 구문이 정의되지 않았을때 이를 대체하는 용도로 사용됩니다.  as a fallback for the other CSP {{Glossary("fetch directive", "fetch directives")}}. 다음과 같은 구문이 없는 경우,  default-src 구문을 찾아서 사용합니다:

+ + + + + + + + + + + + + + +
CSP version1
Directive type{{Glossary("Fetch directive")}}
+ +

Syntax

+ +

하나 이상의 출처가 default-src 정책에 의해서 허용될 수 있습니다:

+ +
Content-Security-Policy: default-src <source>;
+Content-Security-Policy: default-src <source> <source>;
+
+ +

Sources

+ +

<source> 에는 다음에 항목이 포함됩니다. 

+ +
+
<host-source>
+
부수적으로 URL scheme 및/또는 port 번호가 포함된 도메인 또는 IP 주소와 같은 인터넷 호스트, 또한 사이트의 주소 및 포트에 와일트 카드를 사용할 수 도 있습니다 ('*'), 이를 사용하면 모든 주소 또는 포트에서의 유효함을 나타냅니다.
+ 예: +
    +
  • http://*.example.com:  http: 를 사용하는 모든 서브도메인에서 매칭됩
    • +
  • mail.example.com:443: 443 포트로 mail.example.com에 접근하는 경우 매칭됨
    • +
  • https://store.example.com: store.example.com를 https:로 접근하는 경우 매칭됨
    • +
+
+
<scheme-source>
+
 'http:' 또는 'https:'와 같은 스키마. 콜론이 필수적이며, 작은 따음표는 사용하지 않아야 합니다.  스키마도 지정할 수 있습니다 (추천하지 않음). +
    +
  • data:data: URIs 를 컨텐츠 출처로 허용합니다. 이것은 안전하지 않습니다. 공격자가 임의의 데이터를 주입할 수도 있기 때문에 script에는 사용하지 마십시오.
    • +
  • mediastream:mediastream: URIs 을 콘텐츠 출처로 허용합니다.
    • +
  • blob:blob: URIs을 콘텐츠 출처로 허용합니다.
    • +
  • filesystem:filesystem: URIs 을 콘텐츠 출처로 허용합니다.
    • +
+
+
'self'
+
동일한 URL 체계와 포트를 포함하여 보호되는 파일의 원본을 참조합니다.  작은 따음표가 필수적으로 있어야 합니다. 일부 브라우저에서는 blobfilesystem 를 source 지시문에서 제외합니다. 이러한 콘텐츠 타입을 허용해야 하는 사이트는 데이터 attribute를 사용하여 지정할 수 있습니다.
+
'unsafe-inline'
+
인라인 {{HTMLElement("script")}} 태그, javascript: URLs, 인라인 이벤트 핸들러, 그리고 인라인 {{HTMLElement("style")}} 태그와 같은 인라인 요소들을 모두 허용합니다. 작은 따음표를 사용해야만 합니다.
+
'unsafe-eval'
+
eval() 및 문자열에서 코드를 생성하는 함수의 사용을 허용합니다. 작은 따음표를 사용해야만 합니다.
+
'none'
+
아무것도 참조 되지 않습니다. 즉 아무런 URL도 매치되지 않습니다. 작은 따음표를 사용해야만 합니다.
+
'nonce-<base64-value>'
+
암호화 nonce 값을 이용하여 특정 인라인 스크립트에 대하여 허용합니다(nonce는 한번만 사용). 서버는 CSP정책을 전송할 때마다 고유한 nonce를 생성해야만 합니다. 리소스 정책을 우회하는 것은 간단한 일이기 때문에 의심 할 여지가 없는 nonce 값을 제공하는 것이 중요합니다. unsafe inline script 예제를 참고해주세요. nonce는 'unsafe-inline' 와 함께 사용할 경우 모던 브라우저에서는 사용하게 되면  'unsafe-inline'가 무시되지만, 구형 브라우저에서는 nonce가 적용되지 않습니다.
+
'<hash-algorithm>-<base64-value>'
+
스크립트 또는 스타일의  sha256, sha384 or sha512 해쉬. 이것은 대쉬: 로 구분된 해쉬를 사용된 암호화 알고리즘과 base64로 인코딩한 스크립트 및 스타일로 구성됩니다. 해쉬를 생성할 때 절대로 <script> 또는 <style> 태그를 포함하지말고 대소문자와 앞 뒤의 공백을 주의해야 합니다.unsafe inline script 예제를 참고해주세요. CSP 2.0에서는 인라인 스크립트에서만 적용 가능하지만,  CSP 3.0에서는 외부 스크립트를 script-src 에서 허용하기 위해서 사용합니다.
+
'strict-dynamic'
+
The strict-dynamic source expression specifies that the trust explicitly given to a script present in the markup, by accompanying it with a nonce or a hash, shall be propagated to all the scripts loaded by that root script. At the same time, any whitelist or source expressions such as 'self' or 'unsafe-inline' will be ignored. See script-src for an example.
+
+ +

Examples

+ +

default-src의 상속 불가

+ +

다른 구문이 지정되면 default-src는 더 이상 영향을 주지 않습니다. 아래의 헤더는 

+ +
Content-Security-Policy: default-src 'self'; script-src https://example.com
+ +

다음과 같습니다:

+ +
Content-Security-Policy: connect-src 'self';
+                         font-src 'self';
+                         frame-src 'self';
+                         img-src 'self';
+                         manifest-src 'self';
+                         media-src 'self';
+                         object-src 'self';
+                         script-src https://example.com;
+                         style-src 'self';
+                         worker-src 'self'
+ +

Specifications

+ + + + + + + + + + + + + + + + + + + +
SpecificationStatusComment
{{specName("CSP 3.0", "#directive-default-src", "default-src")}}{{Spec2('CSP 3.0')}}Added frame-src, manifest-src and worker-src as defaults.
{{specName("CSP 1.1", "#directive-default-src", "default-src")}}{{Spec2('CSP 1.1')}}Initial definition.
+ +

Browser compatibility

+ +

The compatibility table in this page is generated from structured data. If you'd like to contribute to the data, please check out https://github.com/mdn/browser-compat-data and send us a pull request.

+ +

{{Compat("http.headers.csp.default-src")}}

+ +

See also

+ + +
diff --git a/files/ko/web/http/headers/content-security-policy/img-src/index.html b/files/ko/web/http/headers/content-security-policy/img-src/index.html new file mode 100644 index 0000000000..bd959a91db --- /dev/null +++ b/files/ko/web/http/headers/content-security-policy/img-src/index.html @@ -0,0 +1,84 @@ +--- +title: 'CSP: img-src' +slug: Web/HTTP/Headers/Content-Security-Policy/img-src +translation_of: Web/HTTP/Headers/Content-Security-Policy/img-src +--- +
{{HTTPSidebar}}
+ +

The HTTP {{HTTPHeader("Content-Security-Policy")}}: img-src 지시어는 이미지 및 파비콘에 대하여 유효한 출처를 지정합니다.

+ + + + + + + + + + + + + + + + +
CSP version1
Directive type{{Glossary("Fetch directive")}}
{{CSP("default-src")}} fallbackYes. If this directive is absent, the user agent will look for the default-src directive.
+ +

Syntax

+ +

img-src 정책에 대해 하나 이상의 출처를 허용 할 수 있습니다.

+ +
Content-Security-Policy: img-src <source>;
+Content-Security-Policy: img-src <source> <source>;
+
+ +

Sources

+ +

{{page("Web/HTTP/Headers/Content-Security-Policy/default-src", "Sources")}}

+ +

Examples

+ +

Violation cases

+ +

CSP 헤더가 주어질 때:

+ +
Content-Security-Policy: img-src https://example.com/
+ +

아래의 {{HTMLElement("img")}} 태그가 차단되어 불러오지 않습니다:

+ +
<img src="https://not-example.com/foo.jpg" alt="example picture">
+ +

Specifications

+ + + + + + + + + + + + + + + + + + + +
SpecificationStatusComment
{{specName("CSP 3.0", "#directive-img-src", "img-src")}}{{Spec2('CSP 3.0')}}No changes.
{{specName("CSP 1.1", "#directive-img-src", "img-src")}}{{Spec2('CSP 1.1')}}Initial definition.
+ +

Browser compatibility

+ + + +

{{Compat("http.headers.csp.img-src")}}

+ +

See also

+ + diff --git a/files/ko/web/http/headers/content-security-policy/index.html b/files/ko/web/http/headers/content-security-policy/index.html new file mode 100644 index 0000000000..22c869ef5c --- /dev/null +++ b/files/ko/web/http/headers/content-security-policy/index.html @@ -0,0 +1,259 @@ +--- +title: Content-Security-Policy +slug: Web/HTTP/Headers/Content-Security-Policy +tags: + - CSP + - HTTP + - Reference + - Security + - header +translation_of: Web/HTTP/Headers/Content-Security-Policy +--- +
{{HTTPSidebar}}
+ +

The HTTP Content-Security-Policy response header allows web site administrators to control resources the user agent is allowed to load for a given page. With a few exceptions, policies mostly involve specifying server origins and script endpoints. This helps guard against cross-site scripting attacks ({{Glossary("XSS")}}).

+ +

For more information, see the introductory article on Content Security Policy (CSP).

+ + + + + + + + + + + + +
Header type{{Glossary("Response header")}}
{{Glossary("Forbidden header name")}}no
+ +

Syntax

+ +
Content-Security-Policy: <policy-directive>; <policy-directive>
+
+ +

Directives

+ +

{{Glossary("Fetch directive", "Fetch directives")}}

+ +

Fetch directives control locations from which certain resource types may be loaded.

+ +

List of Content Security Policy Fetch directives

+ +
+
{{CSP("child-src")}}
+
Defines the valid sources for web workers and nested browsing contexts loaded using elements such as {{HTMLElement("frame")}} and {{HTMLElement("iframe")}}. +
+

Instead of child-src, authors who wish to regulate nested browsing contexts and workers should use the {{CSP("frame-src")}} and {{CSP("worker-src")}} directives, respectively.

+
+
+
{{CSP("connect-src")}}
+
Restricts the URLs which can be loaded using script interfaces
+
{{CSP("default-src")}}
+
Serves as a fallback for the other {{Glossary("Fetch directive", "fetch directives")}}.
+
{{CSP("font-src")}}
+
Specifies valid sources for fonts loaded using {{cssxref("@font-face")}}.
+
{{CSP("frame-src")}}
+
Specifies valid sources for nested browsing contexts loading using elements such as {{HTMLElement("frame")}} and {{HTMLElement("iframe")}}.
+
{{CSP("img-src")}}
+
Specifies valid sources of images and favicons.
+
{{CSP("manifest-src")}}
+
Specifies valid sources of application manifest files.
+
{{CSP("media-src")}}
+
Specifies valid sources for loading media using the {{HTMLElement("audio")}} , {{HTMLElement("video")}} and {{HTMLElement("track")}} elements.
+
{{CSP("object-src")}}
+
Specifies valid sources for the {{HTMLElement("object")}}, {{HTMLElement("embed")}}, and {{HTMLElement("applet")}} elements.
+
Elements controlled by object-src are perhaps coincidentally considered legacy HTML elements and are not recieving new standardized features (such as the security attributes sandbox or allow for <iframe>). Therefore it is recommended to restrict this fetch-directive (e.g. explicitly set object-src 'none' if possible).
+
{{CSP("prefetch-src")}}{{experimental_inline}}
+
Specifies valid sources to be prefetched or prerendered.
+
{{CSP("script-src")}}
+
Specifies valid sources for JavaScript.
+
{{CSP("script-src-elem")}}{{experimental_inline}}
+
Specifies valid sources for JavaScript {{HTMLElement("script")}} elements.
+
{{CSP("script-src-attr")}}{{experimental_inline}}
+
Specifies valid sources for JavaScript inline event handlers.
+
+ +
+
{{CSP("style-src")}}
+
Specifies valid sources for stylesheets.
+
{{CSP("style-src-elem")}}{{experimental_inline}}
+
Specifies valid sources for stylesheets {{HTMLElement("style")}} elements and {{HTMLElement("link")}} elements with rel="stylesheet".
+
{{CSP("style-src-attr")}}{{experimental_inline}}
+
Specifies valid sources for inline styles applied to individual DOM elements.
+
{{CSP("worker-src")}}{{experimental_inline}}
+
Specifies valid sources for {{domxref("Worker")}}, {{domxref("SharedWorker")}}, or {{domxref("ServiceWorker")}} scripts.
+
+ +

{{Glossary("Document directive", "Document directives")}}

+ +

Document directives govern the properties of a document or worker environment to which a policy applies.

+ +

List of Content Security Policy Document directives

+ +
+
{{CSP("base-uri")}}
+
Restricts the URLs which can be used in a document's {{HTMLElement("base")}} element.
+
{{CSP("plugin-types")}}
+
Restricts the set of plugins that can be embedded into a document by limiting the types of resources which can be loaded.
+
{{CSP("sandbox")}}
+
Enables a sandbox for the requested resource similar to the {{HTMLElement("iframe")}} {{htmlattrxref("sandbox", "iframe")}} attribute.
+
+ + + +

Navigation directives govern to which location a user can navigate to or submit a form to, for example.

+ +

List of Content Security Policy Navigation directives

+ +
+
{{CSP("form-action")}}
+
Restricts the URLs which can be used as the target of a form submissions from a given context.
+
{{CSP("frame-ancestors")}}
+
Specifies valid parents that may embed a page using {{HTMLElement("frame")}}, {{HTMLElement("iframe")}}, {{HTMLElement("object")}}, {{HTMLElement("embed")}}, or {{HTMLElement("applet")}}.
+
{{CSP("navigate-to")}}{{experimental_inline}}
+
Restricts the URLs to which a document can initiate navigation by any means, including {{HTMLElement("form")}} (if {{CSP("form-action")}} is not specified), {{HTMLElement("a")}}, {{DOMxRef("window.location")}}, {{DOMxRef("window.open")}}, etc.
+
+ +

{{Glossary("Reporting directive", "Reporting directives")}}

+ +

Reporting directives control the reporting process of CSP violations. See also the {{HTTPHeader("Content-Security-Policy-Report-Only")}} header.

+ +

List of Content Security Policy Reporting directives

+ +
+
{{CSP("report-uri")}}{{deprecated_inline}}
+
Instructs the user agent to report attempts to violate the Content Security Policy. These violation reports consist of {{Glossary("JSON")}} documents sent via an HTTP POST request to the specified URI. +
+

Though the {{CSP("report-to")}} directive is intended to replace the deprecated report-uri directive, {{CSP("report-to")}} is not supported in most browsers yet. So for compatibility with current browsers while also adding forward compatibility when browsers get {{CSP("report-to")}} support, you can specify both report-uri and {{CSP("report-to")}}:

+ + 
Content-Security-Policy: ...; report-uri https://endpoint.example.com; report-to groupname
+ +

In browsers that support {{CSP("report-to")}}, the report-uri directive will be ignored.

+
+
+
{{CSP("report-to")}}{{experimental_inline}}
+
Fires a SecurityPolicyViolationEvent.
+
+ +

Other directives

+ +
+
{{CSP("block-all-mixed-content")}}
+
Prevents loading any assets using HTTP when the page is loaded using HTTPS.
+
{{CSP("referrer")}}{{deprecated_inline}}{{non-standard_inline}}
+
Used to specify information in the referer (sic) header for links away from a page. Use the {{HTTPHeader("Referrer-Policy")}} header instead.
+
{{CSP("require-sri-for")}}{{experimental_inline}}
+
Requires the use of {{Glossary("SRI")}} for scripts or styles on the page.
+
{{CSP("require-trusted-types-for")}}{{experimental_inline}}
+
Enforces Trusted Types at the DOM XSS injection sinks.
+
+ +
+
{{CSP("trusted-types")}}{{experimental_inline}}
+
Used to specify a whitelist of Trusted Types policies (Trusted Types allows applications to lock down DOM XSS injection sinks to only accept non-spoofable, typed values in place of strings).
+
+ +
+
{{CSP("upgrade-insecure-requests")}}
+
Instructs user agents to treat all of a site's insecure URLs (those served over HTTP) as though they have been replaced with secure URLs (those served over HTTPS). This directive is intended for web sites with large numbers of insecure legacy URLs that need to be rewritten.
+
+ +

CSP in workers

+ +

Workers are in general not governed by the content security policy of the document (or parent worker) that created them. To specify a content security policy for the worker, set a Content-Security-Policy response header for the request which requested the worker script itself.

+ +

The exception to this is if the worker script's origin is a globally unique identifier (for example, if its URL has a scheme of data or blob). In this case, the worker does inherit the content security policy of the document or worker that created it.

+ +

Multiple content security policies

+ +

CSP allows multiple policies being specified for a resource, including via the Content-Security-Policy header, the {{HTTPHeader("Content-Security-Policy-Report-Only")}} header and a {{HTMLElement("meta")}} element.

+ +

You can use the Content-Security-Policy header more than once like in the example below. Pay special attention to the {{CSP("connect-src")}} directive here. Even though the second policy would allow the connection, the first policy contains connect-src 'none'. Adding additional policies can only further restrict the capabilities of the protected resource, which means that there will be no connection allowed and, as the strictest policy, connect-src 'none' is enforced.

+ +
Content-Security-Policy: default-src 'self' http://example.com;
+                         connect-src 'none';
+Content-Security-Policy: connect-src http://example.com/;
+                         script-src http://example.com/
+ +

Examples

+ +

Example: Disable unsafe inline/eval, only allow loading of resources (images, fonts, scripts, etc.) over https:

+ +
// header
+Content-Security-Policy: default-src https:
+
+// meta tag
+<meta http-equiv="Content-Security-Policy" content="default-src https:">
+
+ +

Example: Pre-existing site that uses too much inline code to fix but wants to ensure resources are loaded only over https and disable plugins:

+ +
Content-Security-Policy: default-src https: 'unsafe-eval' 'unsafe-inline'; object-src 'none'
+ +

Example: Do not implement the above policy yet; instead just report violations that would have occurred:

+ +
Content-Security-Policy-Report-Only: default-src https:; report-uri /csp-violation-report-endpoint/
+ +

See Mozilla Web Security Guidelines for more examples.

+ +

Specifications

+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
SpecificationStatusComment
{{specName("CSP 3.0")}}{{Spec2("CSP 3.0")}}Adds manifest-src, navigate-to, report-to, strict-dynamic, worker-src. Undeprecates frame-src. Deprecates report-uri in favor if report-to.
{{specName("Mixed Content")}}{{Spec2("Mixed Content")}}Adds block-all-mixed-content.
{{specName("Subresource Integrity")}}{{Spec2("Subresource Integrity")}}Adds require-sri-for.
{{specName("Upgrade Insecure Requests")}}{{Spec2("Upgrade Insecure Requests")}}Adds upgrade-insecure-requests.
{{specName("CSP 1.1")}}{{Spec2("CSP 1.1")}}Adds base-uri, child-src, form-action, frame-ancestors, plugin-types, referrer, and report-uri. Deprecates frame-src.
{{specName("CSP 1.0")}}{{Spec2("CSP 1.0")}}Defines connect-src, default-src, font-src, frame-src, img-src, media-src, object-src, report-uri, sandbox, script-src, and style-src.
+ +

Browser compatibility

+ + + +

{{Compat("http.headers.csp.Content-Security-Policy")}}

+ +

See also

+ + diff --git a/files/ko/web/http/headers/content-security-policy/report-to/index.html b/files/ko/web/http/headers/content-security-policy/report-to/index.html new file mode 100644 index 0000000000..2fe0b56b97 --- /dev/null +++ b/files/ko/web/http/headers/content-security-policy/report-to/index.html @@ -0,0 +1,80 @@ +--- +title: report-to +slug: Web/HTTP/Headers/Content-Security-Policy/report-to +translation_of: Web/HTTP/Headers/Content-Security-Policy/report-to +--- +

 

+ +

Report-To HTTP 응답 해더 필드는 사용자 에이전트(브라우저)가 레포트를 저장하기 위한 origin의 엔드포인트를 지정합니다.

+ +
Content-Security-Policy: ...; report-to groupname
+
+ +

 

+ +

이 지시어 자체로는 효과는 없지만 다른 지시문과 조합하여 의미를 가질 수 있습니다.

+ + + + + + + + + + + + + + + +
CSP version1
Directive type{{Glossary("Reporting directive")}}
This directive is not supported in the {{HTMLElement("meta")}} element.
+ +

Syntax

+ +
Content-Security-Policy: report-to <json-field-value>;
+ +

Examples

+ +

더 자세한 정보와 예제는 {{HTTPHeader("Content-Security-Policy-Report-Only")}} 를 확인하세요.

+ +
Report-To: { "group": "csp-endpoint",
+             "max-age": 10886400,
+             "endpoints": [
+               { "url": "https://example.com/csp-reports" }
+             ] },
+           { "group": "hpkp-endpoint",
+             "max-age": 10886400,
+             "endpoints": [
+               { "url": "https://example.com/hpkp-reports" }
+             ] }
+Content-Security-Policy: ...; report-to csp-endpoint
+
+ +

 

+ +
Report-To: { "group": "endpoint-1",
+             "max-age": 10886400,
+             "endpoints": [
+               { "url": "https://example.com/reports" },
+               { "url": "https://backup.com/reports" }
+             ] }
+
+Content-Security-Policy: ...; report-to endpoint-1
+ +

 

+ +

브라우저 호환성

+ +

이 페이지의 호환성 테이블은 구조화된 데이터에서 생성됩니다. 데이터에 기여하고 싶다면 https://github.com/mdn/browser-compat-data 를 확인하고 pull request를 보내주세요.

+ +

{{Compat("http.headers.csp.report-to")}}

+ +

See also

+ + + +

 

diff --git a/files/ko/web/http/headers/content-security-policy/script-src/index.html b/files/ko/web/http/headers/content-security-policy/script-src/index.html new file mode 100644 index 0000000000..98999637aa --- /dev/null +++ b/files/ko/web/http/headers/content-security-policy/script-src/index.html @@ -0,0 +1,167 @@ +--- +title: 'CSP: script-src' +slug: Web/HTTP/Headers/Content-Security-Policy/script-src +translation_of: Web/HTTP/Headers/Content-Security-Policy/script-src +--- +
{{HTTPSidebar}}
+ +

HTTP {{HTTPHeader("Content-Security-Policy")}} (CSP) script-src 는 자바스크립트트에 대한 검증된 출처를 지정합니다. 여기에는 {{HTMLElement("script")}} 요소에서 직접 호출한 URL뿐만 아니라,  인라인 스크립트  이벤트 핸들러(onclick) 및 스크립트를 실행할 수 있는  XSLT stylesheets 가 포함됩니다.

+ + + + + + + + + + + + + + + + +
CSP version1
Directive type{{Glossary("Fetch directive")}}
{{CSP("default-src")}} fallbackYes. If this directive is absent, the user agent will look for the default-src directive.
+ +

Syntax

+ +

하나 이상의 출처가 script-src 정책에 의해서 허용될 수 있습니다:

+ +
Content-Security-Policy: script-src <source>;
+Content-Security-Policy: script-src <source> <source>;
+
+ +

Sources

+ +

{{page("Web/HTTP/Headers/Content-Security-Policy/default-src", "Sources")}}

+ +
+
'report-sample'
+
 Report에 위반 코드 샘플을 포함시키려면 이 항목을 추가 해야 합니다.
+
+ +

예제

+ +

Violation case

+ +

주어진 CSP 헤더:

+ +
Content-Security-Policy: script-src https://example.com/
+ +

아래 스크립트가 차단되어서 로드 또는 실행되지 않습니다:

+ +
<script src="https://not-example.com/js/library.js"></script>
+ +

인라인 스크립트도 실행되지 않습니다:

+ +
<button id="btn" onclick="doSomething()">
+ +

{{domxref("EventTarget.addEventListener", "addEventListener")}}를 호출하는 것으로 대체해야 합니다.:

+ +
document.getElementById("btn").addEventListener('click', doSomething);
+ +

안전하지 않은 인라인 스크립트

+ +
+

Note: 인라인 스타일 및 인라인 스크립트를 허용하지 않는 것이 CSP가 제공하는 가장 큰 보안 이점 중 하나 입니다. 그러나, 인라인 스크립트 및 스타일을 사용해야만 한다면 몇가지 방법을 제공합니다.

+
+ +

인라인 스크립트 및 인라인 이벤트 핸들러를 허용하려면, 'unsafe-inline',  인라인 태그에 정의한 값과 동일한 nonce-source 또는 hash-source를 지정할 수 있습니다.

+ +
Content-Security-Policy: script-src 'unsafe-inline';
+
+ +

위의 CSP는 {{HTMLElement("script")}} 태그를 허용합니다

+ +
<script>
+  var inline = 1;
+</script>
+ +

nonce-source를 사용하면 특정 인라인 스크립트 태그만 허용 할 수 있습니다:

+ +
Content-Security-Policy: script-src 'nonce-2726c7f26c'
+ +

{{HTMLElement("script")}} 태그에 동일한 nonce를 설정해야 합니다 :

+ +
<script nonce="2726c7f26c">
+  var inline = 1;
+</script>
+ +

또는, 인라인 스크립트에서 해시를 설정할 수 도 있습니다. CSP는 sha256, sha384 and sha512를 지원합니다.

+ +
Content-Security-Policy: script-src 'sha256-B2yPHKaXnvFWtRChIbabYmUBFZdVfKKXHbWtWidDVF8='
+ +

해시를 생성할 때에는 {{HTMLElement("script")}} 태그를 포함하지 말고, 대소문자, 태그의 앞뒤 공백이 포함되어야 하는 것을 유의해주십시요.

+ +
<script>var inline = 1;</script>
+ +

안전하지 않은 eval 표현식

+ +

'unsafe-eval' 출처 표현식은 문자열에서 코드를 생성하는 여러 스크립트 실행 메소드를 제어합니다.  만약'unsafe-eval' 이  script-src 에 정의되어 있지 않으면, 아래믜 명령어는 차단되며 아무런 효과가 일어나지 않습니다.

+ + + +

strict-dynamic

+ +

The 'strict-dynamic' source expression specifies that the trust explicitly given to a script present in the markup, by accompanying it with a nonce or a hash, shall be propagated to all the scripts loaded by that root script. At the same time, any whitelist or source expressions such as 'self' or 'unsafe-inline' will be ignored. For example, a policy such as script-src 'strict-dynamic' 'nonce-R4nd0m' https://whitelisted.com/ would allow loading of a root script with <script nonce="R4nd0m" src="https://example.com/loader.js">  and propogate that trust to any script loaded by loader.js, but disallow loading scripts from https://whitelisted.com/ unless accompanied by a nonce or loaded from a trusted script.

+ +
script-src 'strict-dynamic' 'nonce-someNonce'
+ +

Or

+ +
script-src 'strict-dynamic' 'sha256-base64EncodedHash'
+ +

It is possible to deploy strict-dynamic in a backwards compatible way, without requiring user-agent sniffing.
+ The policy:

+ +
script-src 'unsafe-inline' https: 'nonce-abcdefg' 'strict-dynamic'
+ +

will act like'unsafe-inline' https: in browsers that support CSP1, https: 'nonce-abcdefg' in browsers that support CSP2, and 'nonce-abcdefg' 'strict-dynamic' in browsers that support CSP3.

+ +

Specifications

+ + + + + + + + + + + + + + + + + + + +
SpecificationStatusComment
{{specName("CSP 3.0", "#directive-script-src", "script-src")}}{{Spec2('CSP 3.0')}}No changes.
{{specName("CSP 1.1", "#directive-script-src", "script-src")}}{{Spec2('CSP 1.1')}}Initial definition.
+ +

Browser compatibility

+ + + +

{{Compat("http.headers.csp.script-src")}}

+ +

See also

+ + -- cgit v1.2.3-54-g00ecf