Content Security Policy

https://content-security-policy.com/

The new Content-Security-Policy HTTP response header helps you reduce XSS risks on modern browsers by declaring what dynamic resources are allowed to load via a HTTP Header.

现代浏览器提供的防止XSS攻击的手段。服务器设置此响应头，规定本网站中的网页内容，执行的内容访问的安全策略。

Directive（指令）

The Content-Security-Policy header value is made up of one or more directives (defined below), multiple directives are separated with a semicolon ;

This documentation is provided based on the Content Security Policy 1.0 W3C Candidate Recommendation

此响应头部值，由一个或者更多的指令构成，如果是多个指令，则指令之间以分好隔开。符合 W3C候选标准。

default-src 'self' cdn.example.com The default-src is the default policy for loading content such as JavaScript, Images, CSS, Font's, AJAX requests, Frames, HTML5 Media. See the Source List Reference for possible values.

规定默认源访问控制策略，如果是self，则表示可以引用自己网站的资源，还可添加指定的其它网站域名。

script-src 'self' js.example.com Defines valid sources of JavaScript.

脚本源访问控制。

style-src 'self' css.example.com Defines valid sources of stylesheets.

样式资源访问控制。

img-src 'self' img.example.com Defines valid sources of images.

图片资源访问控制。

connect-src 'self' Applies to XMLHttpRequest (AJAX), WebSocket or EventSource. If not allowed the browser emulates a 400 HTTP status code.

ajax websocket eventsource 访问源控制。

font-src font.example.com Defines valid sources of fonts.

字体资源访问控制。

object-src 'self' Defines valid sources of plugins, eg <object>, <embed> or <applet>.

嵌入式对象资源访问控制。

media-src media.example.com Defines valid sources of audio and video, eg HTML5 <audio>, <video> elements.

媒体源访问控制。

frame-src 'self' Defines valid sources for loading frames. child-src is preferred over this deprecated directive.

框架源访问控制。

child-src 'self' Defines valid sources for web workers and nested browsing contexts loaded using elements such as <frame> and <iframe>

代替frame-src, 确定页面中框架源访问控制。

form-action 'self' Defines valid sources that can be used as a HTML <form> action.

允许表单提交的目标定义。

frame-ancestors 'none' Defines valid sources for embedding the resource using <frame> <iframe> <object> <embed> <applet>. Setting this directive to 'none' should be roughly equivalent to X-Frame-Options: DENY

是否允许本页面被其它页面嵌入的控制。

Source List（源头内容列表）

All of the directives that end with -src support similar values known as a source list. Multiple source list values can be space separated with the exception of 'none' which should be the only value..

以src结尾的指令支持类似的值，这些值列举如下。多源头列表值，使用空格分开，如果只有一个值“none”，则其实唯一的值，不能去其它值并存。

Source Value Example Description
* img-src * Wildcard, allows any URL except data: blob: filesystem: schemes.

允许任何URL，但是不允许 data blob filesystem 方案。

'none' object-src 'none' Prevents loading resources from any source.

不允许从任何源头下载资源。

'self' script-src 'self' Allows loading resources from the same origin (same scheme, host and port).

遵守同源策略。

data: img-src 'self' data: Allows loading resources via the data scheme (eg Base64 encoded images).

允许以data方案加载资源。

domain.example.com img-src domain.example.com Allows loading resources from the specified domain name.

允许从指定域名下载资源。

*.example.com img-src *.example.com Allows loading resources from any subdomain under example.com.

允许加载任何子域名和资源。

https://cdn.com img-src https://cdn.com Allows loading resources only over HTTPS matching the given domain.

允许以https方式加载指定域名的资源。

https: img-src https: Allows loading resources only over HTTPS on any domain.

只允许以https方式加载。

'unsafe-inline' script-src 'unsafe-inline' Allows use of inline source elements such as style attribute, onclick, or script tag bodies (depends on the context of the source it is applied to)

允许使用行内源元素，这里将这些元素定义为 unsafe。

'unsafe-eval' script-src 'unsafe-eval' Allows unsafe dynamic code evaluation such as JavaScript eval()

允许使用不安全的eval接口。