Content Security Policy - 版本历史

2024年1月9日 (二) 03:14 Riguz

2024-01-09T03:14:45Z

←上一版本		2024年1月9日 (二) 03:14的版本
第14行：		第14行：

	= 'nonce-*'=		= 'nonce-*'=
	A cryptographic nonce (only used once) to allow scripts. The server must generate a unique nonce value each time it transmits a policy. It is critical to provide a nonce that cannot be guessed as bypassing a resource's policy is otherwise trivial. This is used in conjunction with the script tag nonce attribute. For example, nonce-DhcnhD3khTMePgXwdayK9BsMqXjhguVV.		A cryptographic nonce (only used once) to allow scripts. The server must generate a unique nonce value each time it transmits a policy. It is critical to provide a nonce that cannot be guessed as bypassing a resource's policy is otherwise trivial. This is used in conjunction with the script tag nonce attribute. For example, <syntaxhighlight lang="bash" inline>nonce-DhcnhD3khTMePgXwdayK9BsMqXjhguVV</syntaxhighlight>.

	= 'sha-' =		= 'sha-' =
	sha256, sha384, or sha512. Followed by a dash and then the sha* value. For example, sha256-jzgBGA4UWFFmpOBq0JpdsySukE1FrEN5bUpoK8Z29fY=.		sha256, sha384, or sha512. Followed by a dash and then the sha* value. For example, <syntaxhighlight lang="bash" inline>sha256-jzgBGA4UWFFmpOBq0JpdsySukE1FrEN5bUpoK8Z29fY=</syntaxhighlight>.

	* https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP		* https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP

2024年1月9日 (二) 01:24 Riguz

2024-01-09T01:24:48Z

←上一版本		2024年1月9日 (二) 01:24的版本
第12行：		第12行：

	A policy is described using a series of policy directives, each of which describes the policy for a certain resource type or policy area. Your policy should include a default-src policy directive, which is a fallback for other resource types when they don't have policies of their own (for a complete list, see the description of the default-src directive). A policy needs to include a default-src or script-src directive to prevent inline scripts from running, as well as blocking the use of eval(). A policy needs to include a default-src or style-src directive to restrict inline styles from being applied from a <style> element or a style attribute. There are specific directives for a wide variety of types of items, so that each type can have its own policy, including fonts, frames, images, audio and video media, scripts, and workers.		A policy is described using a series of policy directives, each of which describes the policy for a certain resource type or policy area. Your policy should include a default-src policy directive, which is a fallback for other resource types when they don't have policies of their own (for a complete list, see the description of the default-src directive). A policy needs to include a default-src or script-src directive to prevent inline scripts from running, as well as blocking the use of eval(). A policy needs to include a default-src or style-src directive to restrict inline styles from being applied from a <style> element or a style attribute. There are specific directives for a wide variety of types of items, so that each type can have its own policy, including fonts, frames, images, audio and video media, scripts, and workers.

			= 'nonce-*'=
			A cryptographic nonce (only used once) to allow scripts. The server must generate a unique nonce value each time it transmits a policy. It is critical to provide a nonce that cannot be guessed as bypassing a resource's policy is otherwise trivial. This is used in conjunction with the script tag nonce attribute. For example, nonce-DhcnhD3khTMePgXwdayK9BsMqXjhguVV.

			= 'sha-' =
			sha256, sha384, or sha512. Followed by a dash and then the sha* value. For example, sha256-jzgBGA4UWFFmpOBq0JpdsySukE1FrEN5bUpoK8Z29fY=.

	* https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP		* https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP

2024年1月9日 (二) 01:23 Riguz

2024-01-09T01:23:33Z

←上一版本		2024年1月9日 (二) 01:23的版本
第14行：		第14行：

	* https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP		* https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP
			* https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy

	[[Category:Protocol]]		[[Category:Protocol]]
	[[Category:HTTP]]		[[Category:HTTP]]

2024年1月9日 (二) 01:22 Riguz

2024-01-09T01:22:52Z

←上一版本		2024年1月9日 (二) 01:22的版本
第11行：		第11行：
	</syntaxhighlight>		</syntaxhighlight>

			A policy is described using a series of policy directives, each of which describes the policy for a certain resource type or policy area. Your policy should include a default-src policy directive, which is a fallback for other resource types when they don't have policies of their own (for a complete list, see the description of the default-src directive). A policy needs to include a default-src or script-src directive to prevent inline scripts from running, as well as blocking the use of eval(). A policy needs to include a default-src or style-src directive to restrict inline styles from being applied from a <style> element or a style attribute. There are specific directives for a wide variety of types of items, so that each type can have its own policy, including fonts, frames, images, audio and video media, scripts, and workers.

	* https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP		* https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP

Riguz：创建页面，内容为“Content Security Policy (CSP) is an added layer of security that helps to detect and mitigate certain types of attacks, including Cross-Site Scripting (XSS) and data injection attacks. These attacks are used for everything from data theft, to site defacement, to malware distribution. To enable CSP, you need to configure your web server to return the Content-Security-Policy HTTP header. (Sometimes you may se…”

2024-01-09T01:22:00Z

创建页面，内容为“Content Security Policy (CSP) is an added layer of security that helps to detect and mitigate certain types of attacks, including Cross-Site Scripting (XSS) and data injection attacks. These attacks are used for everything from data theft, to site defacement, to malware distribution. To enable CSP, you need to configure your web server to return the <syntaxhighlight lang="bash" inline>Content-Security-Policy</syntaxhighlight> HTTP header. (Sometimes you may se…”

新页面

Content Security Policy (CSP) is an added layer of security that helps to detect and mitigate certain types of attacks, including Cross-Site Scripting (XSS) and data injection attacks. These attacks are used for everything from data theft, to site defacement, to malware distribution.

To enable CSP, you need to configure your web server to return the <syntaxhighlight lang="bash" inline>Content-Security-Policy</syntaxhighlight> HTTP header. (Sometimes you may see mentions of the <syntaxhighlight lang="bash" inline>X-Content-Security-Polic</syntaxhighlight>y header, but that's an older version and you don't need to specify it anymore.)

Alternatively, the <meta> element can be used to configure a policy, for example:

<syntaxhighlight lang="html">
<meta
http-equiv="Content-Security-Policy"
content="default-src 'self'; img-src https://*; child-src 'none';" />
</syntaxhighlight>

* https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP

[[Category:Protocol]]
[[Category:HTTP]]