blob: 1581c129948e9c698a4d88fa96a055eed089c914 (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
|
---
title: 'CSP: base-uri'
slug: Web/HTTP/Headers/Content-Security-Policy/base-uri
tags:
- CSP
- HTTP
- 安全
- 指令
- 文档指令
translation_of: Web/HTTP/Headers/Content-Security-Policy/base-uri
---
<div>{{HTTPSidebar}}</div>
<p>HTTP 协议 {{HTTPHeader("Content-Security-Policy")}} 首部字段中的 <strong><code>base-uri</code></strong> 指令限制了可以应用于一个文档的 {{HTMLElement("base")}} 元素的 URL。假如指令值为空,那么任何 URL 都是允许的。如果指令不存在,那么用户代理会使用 {{HTMLElement("base")}} 元素中的值。 </p>
<table class="properties">
<tbody>
<tr>
<th scope="row">CSP version</th>
<td>2</td>
</tr>
<tr>
<th scope="row">Directive type</th>
<td>{{Glossary("Document directive")}}</td>
</tr>
<tr>
<th scope="row">{{CSP("default-src")}} fallback</th>
<td>No. Not setting this allows anything.</td>
</tr>
</tbody>
</table>
<h2 id="语法">语法</h2>
<p>base-uri 安全策略可以设置一个或多个源:</p>
<pre class="syntaxbox">Content-Security-Policy: base-uri <source>;
Content-Security-Policy: base-uri <source> <source>;
</pre>
<h3 id="源">源</h3>
<p>{{page("Web/HTTP/Headers/Content-Security-Policy/default-src", "Sources")}}</p>
<h2 id="示例">示例</h2>
<h3 id="Meta_tag_配置">Meta tag 配置</h3>
<pre class="brush: html"><meta http-equiv="Content-Security-Policy" content="base-uri 'self'"></pre>
<h3 id="Apache_配置">Apache 配置</h3>
<pre class="brush: bash"><IfModule mod_headers.c>
Header set Content-Security-Policy "base-uri 'self';
</IfModule></pre>
<h3 id="Nginx_配置">Nginx 配置</h3>
<pre class="brush: bash">add_header Content-Security-Policy "base-uri 'self';"</pre>
<h3 id="违犯策略的案例"><em>违犯策略的案例</em></h3>
<p>假如你的域名不是 example.com,那么将 {{HTMLElement("base")}} 元素的 href 属性值设置成 example.com 会违犯 CSP 策略。</p>
<pre class="brush: html; example-bad"><meta http-equiv="Content-Security-Policy" content="base-uri 'self'">
<base href="http://example.com/">
// Error: Refused to set the document's base URI to 'http://example.com/'
// because it violates the following Content Security Policy
// directive: "base-uri 'self'"</pre>
<h2 id="规范">规范</h2>
<table class="standard-table">
<tbody>
<tr>
<th scope="col">Specification</th>
<th scope="col">Status</th>
<th scope="col">Comment</th>
</tr>
<tr>
<td>{{specName("CSP 3.0", "#directive-base-uri", "base-uri")}}</td>
<td>{{Spec2('CSP 3.0')}}</td>
<td>No changes.</td>
</tr>
<tr>
<td>{{specName("CSP 1.1", "#directive-base-uri", "base-uri")}}</td>
<td>{{Spec2('CSP 1.1')}}</td>
<td>Initial definition.</td>
</tr>
</tbody>
</table>
<h2 id="浏览器兼容性">浏览器兼容性</h2>
<p class="hidden">The compatibility table in this page is generated from structured data. If you'd like to contribute to the data, please check out <a href="https://github.com/mdn/browser-compat-data">https://github.com/mdn/browser-compat-data</a> and send us a pull request.</p>
<p>{{Compat("http.headers.csp.base-uri")}}</p>
<h2 id="相关内容">相关内容</h2>
<ul>
<li>{{HTTPheader("Content-Security-Policy")}}</li>
<li>{{HTMLElement("base")}}</li>
<li>{{domxref("Node.baseURI")}}</li>
</ul>
|
