前言介紹
- 這款 WordPress 外掛「Content Security Policy Pro」是 2016-09-20 上架。 目前已經下架不再更新,不建議安裝使用。
- 目前有 400 個安裝啟用數。
- 上一次更新是 2019-04-04,距離現在已有 2222 天。超過一年沒更新,安裝要確認版本是否可用。以及後續維護問題!
- 外掛最低要求 WordPress 3.0.1 以上版本才可以安裝。
- 有 4 人給過評分。
- 還沒有人在論壇上發問,可能目前使用數不多,還沒有什麼大問題。
外掛協作開發者
外掛標籤
cps | security | content security policy |
內容簡介
這個想法非常簡單:透過從網站發送 CSP header,您告訴瀏覽器它被授權執行什麼和被授權封鎖什麼。這樣一來,內容安全策略有助於封鎖跨站腳本攻擊漏洞。
CSP 允許主機指定瀏覽器可以從哪些核准的來源載入內容,並且是 XSS 攻擊的有效對策。
內容安全策略通過 HTTP 響應標頭發送,就像 HSTS 一樣,並定義瀏覽器可以載入的核准內容來源。它可以是對抗跨站腳本攻擊的有效對策,而且通常容易部署,且廣泛支援。
CSP 指令
* default-src: 定義當專門的資源指令未定義時(回調)所有資源類型的載入策略,
* script-src: 定義受保護資源可以執行哪些腳本,
* object-src: 定義從哪裡受保護的資源可以載入插件,
* style-src: 定義使用者套用於受保護資源的樣式(CSS),
* img-src: 定義從哪裡受保護資源可以載入圖像,
* media-src: 定義從哪裡受保護資源可以載入影音,
* frame-src: 定義從哪裡受保護資源可以嵌入框架,
* font-src: 定義從哪裡受保護資源可以載入字型,
* connect-src: 定義受保護資源可以使用腳本介面載入哪些 URI,
* form-action: 定義哪些 URI 可以用作 HTML 表單元素的動作,
* sandbox: 指定使用者代理應用於受保護資源的 HTML 砂箱策略,
* script-nonce: 通過要求腳本元素中存在指定的 nonce 定義腳本執行,
* plugin-types: 限制可以嵌入的資源類型來定義受保護資源可以調用的插件集合,
* reflected-xss: 指示使用者代理啟用或停用用於過濾或阻擋反射型跨站腳本攻擊的任何啟發式,相當於非標準的 X-XSS-Protection 標頭的效果。
* report-uri: 指定一個 URI,使用者代理向該 URI 發送有關違規策略的報告
撰寫者
此外掛的編寫者為 Web 開發人員 Laxman Thapa,lakshman.com.np。
原文外掛簡介
The idea is quite simple: By sending a CSP header from a website, you are telling the browser what it is authorized to execute and what it is authorized to block. And by doing this, Content Security Policy helps block the XSS vulnerabilities.
CSP allows a host to specify a whitelist of approved sources that a browser can load content from and is an effective countermeasure for XSS attacks.
Content Security Policy is delivered via a HTTP response header, much like HSTS, and defines approved sources of content that the browser may load. It can be an effective countermeasure to Cross Site Scripting (XSS) attacks and is also widely supported and usually easily deployed.
CSP Directives
* default-src: Define loading policy for all resources type in case of a resource type dedicated directive is not defined (fallback),
* script-src: Define which scripts the protected resource can execute,
* object-src: Define from where the protected resource can load plugins,
* style-src: Define which styles (CSS) the user applies to the protected resource,
* img-src: Define from where the protected resource can load images,
* media-src: Define from where the protected resource can load video and audio,
* frame-src: Define from where the protected resource can embed frames,
* font-src: Define from where the protected resource can load fonts,
* connect-src: Define which URIs the protected resource can load using script interfaces,
* form-action: Define which URIs can be used as the action of HTML form elements,
* sandbox: Specifies an HTML sandbox policy that the user agent applies to the protected resource,
* script-nonce: Define script execution by requiring the presence of the specified nonce on script elements,
* plugin-types: Define the set of plugins that can be invoked by the protected resource by limiting the types of resources that can be embedded,
* reflected-xss: Instructs a user agent to activate or deactivate any heuristics used to filter or block reflected cross-site scripting attacks, equivalent to the effects of the non-standard X-XSS-Protection header,
* report-uri: Specifies a URI to which the user agent sends reports about policy violation
Written By
This plugin was written by Laxman Thapa, Web Developer.
各版本下載點
- 方法一:點下方版本號的連結下載 ZIP 檔案後,登入網站後台左側選單「外掛」的「安裝外掛」,然後選擇上方的「上傳外掛」,把下載回去的 ZIP 外掛打包檔案上傳上去安裝與啟用。
- 方法二:透過「安裝外掛」的畫面右方搜尋功能,搜尋外掛名稱「Content Security Policy Pro」來進行安裝。
(建議使用方法二,確保安裝的版本符合當前運作的 WordPress 環境。
1.0 | 1.1 | 1.2 | 1.3 | 1.3.1 | 1.3.2 | 1.3.3 | 1.3.4 | 1.3.5 | trunk |
延伸相關外掛(你可能也想知道)
WordPress 淘宝客插件 》透過WordPress淘寶客外掛,你可以為任何文章類型增加淘寶客選項,讓你的部落格可以進行淘寶客商品推廣,並從中獲得銷售提成。。