內容簡介
這個想法非常簡單:透過從網站發送 CSP header,您告訴瀏覽器它被授權執行什麼和被授權封鎖什麼。這樣一來,內容安全策略有助於封鎖跨站腳本攻擊漏洞。
CSP 允許主機指定瀏覽器可以從哪些核准的來源載入內容,並且是 XSS 攻擊的有效對策。
內容安全策略通過 HTTP 響應標頭發送,就像 HSTS 一樣,並定義瀏覽器可以載入的核准內容來源。它可以是對抗跨站腳本攻擊的有效對策,而且通常容易部署,且廣泛支援。
CSP 指令
* default-src: 定義當專門的資源指令未定義時(回調)所有資源類型的載入策略,
* script-src: 定義受保護資源可以執行哪些腳本,
* object-src: 定義從哪裡受保護的資源可以載入插件,
* style-src: 定義使用者套用於受保護資源的樣式(CSS),
* img-src: 定義從哪裡受保護資源可以載入圖像,
* media-src: 定義從哪裡受保護資源可以載入影音,
* frame-src: 定義從哪裡受保護資源可以嵌入框架,
* font-src: 定義從哪裡受保護資源可以載入字型,
* connect-src: 定義受保護資源可以使用腳本介面載入哪些 URI,
* form-action: 定義哪些 URI 可以用作 HTML 表單元素的動作,
* sandbox: 指定使用者代理應用於受保護資源的 HTML 砂箱策略,
* script-nonce: 通過要求腳本元素中存在指定的 nonce 定義腳本執行,
* plugin-types: 限制可以嵌入的資源類型來定義受保護資源可以調用的插件集合,
* reflected-xss: 指示使用者代理啟用或停用用於過濾或阻擋反射型跨站腳本攻擊的任何啟發式,相當於非標準的 X-XSS-Protection 標頭的效果。
* report-uri: 指定一個 URI,使用者代理向該 URI 發送有關違規策略的報告
撰寫者
此外掛的編寫者為 Web 開發人員 Laxman Thapa,lakshman.com.np。
外掛標籤
開發者團隊
原文外掛簡介
The idea is quite simple: By sending a CSP header from a website, you are telling the browser what it is authorized to execute and what it is authorized to block. And by doing this, Content Security Policy helps block the XSS vulnerabilities.
CSP allows a host to specify a whitelist of approved sources that a browser can load content from and is an effective countermeasure for XSS attacks.
Content Security Policy is delivered via a HTTP response header, much like HSTS, and defines approved sources of content that the browser may load. It can be an effective countermeasure to Cross Site Scripting (XSS) attacks and is also widely supported and usually easily deployed.
CSP Directives
* default-src: Define loading policy for all resources type in case of a resource type dedicated directive is not defined (fallback),
* script-src: Define which scripts the protected resource can execute,
* object-src: Define from where the protected resource can load plugins,
* style-src: Define which styles (CSS) the user applies to the protected resource,
* img-src: Define from where the protected resource can load images,
* media-src: Define from where the protected resource can load video and audio,
* frame-src: Define from where the protected resource can embed frames,
* font-src: Define from where the protected resource can load fonts,
* connect-src: Define which URIs the protected resource can load using script interfaces,
* form-action: Define which URIs can be used as the action of HTML form elements,
* sandbox: Specifies an HTML sandbox policy that the user agent applies to the protected resource,
* script-nonce: Define script execution by requiring the presence of the specified nonce on script elements,
* plugin-types: Define the set of plugins that can be invoked by the protected resource by limiting the types of resources that can be embedded,
* reflected-xss: Instructs a user agent to activate or deactivate any heuristics used to filter or block reflected cross-site scripting attacks, equivalent to the effects of the non-standard X-XSS-Protection header,
* report-uri: Specifies a URI to which the user agent sends reports about policy violation
Written By
This plugin was written by Laxman Thapa, Web Developer.
