CSP 策略指令

在内容安全策略 (CSP) 中,网站管理员可以定义多种策略范围。这些策略可以被任意组合来满足需求;您并不需要指定全部策略。

内容源

大多数策略指令需要一个或多个内容源。内容源是一串表明内容可能从哪里加载的字符串。

源列表

源列表是一个字符串,指定了一个或多个互联网主机(通过主机名或 IP 地址),和可选的 URL 协议和/或端口号。站点地址可以包含可选的通配符前缀 (星号, '*'),端口号也可以使用通配符 (同样是 '*') 来表明所有合法端口都是有效来源。主机通过空格分隔。

有效的主机表达式包括:

http://*.foo.com
匹配所有使用 http: URL 协议加载 foo.com 任何子域名的尝试。
mail.foo.com:443
匹配所有访问 mail.foo.com 的 443 端口 的尝试。
https://store.foo.com
匹配所有使用 https: 协议访问 store.foo.com 的尝试。

如果端口号没有被指定,浏览器会使用指定协议的默认端口号。如果协议没有被指定,浏览器会使用访问该文档时的协议。

关键字

有一些关键字可以用来描述某类特别的内容源。它们是:

'none'
代表空集;即不匹配任何 URL。两侧单引号是必须的。
'self'
代表和文档同源,包括相同的 URL 协议和端口号。两侧单引号是必须的。
'unsafe-inline'
允许使用内联资源,如内联的 <script> 元素、javascript: URL、内联的事件处理函数和内联的 <style> 元素。两侧单引号是必须的。
'unsafe-eval'
允许使用 eval() 等通过字符串创建代码的方法。两侧单引号是必须的。
注意: 使用 'unsafe-inline' 和 'unsafe-eval' 都是不安全的,它们会使您的网站有跨站脚本攻击风险。

例如,您可以指定内容能从文档源和 trustedscripts.foo.com 加载:

Content-Security-Policy: default-src 'self' trustedscripts.foo.com

数据

注意: data: URI 是不安全的,如果它们被允许成为脚本来源,则会使您的网站有跨站脚本攻击风险。
data:
允许 data: URI 作为内容来源。这是不安全的,因为攻击者可以精心构造 data: URI 来攻击。请谨慎地使用这个源,并确保不要用于脚本。
mediastream:
允许 mediastream: URI 作为内容源。
Content-Security-Policy: default-src 'self'; img-src 'self' data:; media-src mediastream:

支持的策略指令

以下策略指令可以为多种策略范围配置安全策略。

base-uri

base-uri 指令定义了 URI,它可以作为文档的基准 URL。如果没有指定值,那么任何 URI 都被允许。如果没有指定这条指令,浏览器会使用 base 元素中的 URL。

base-uri source-list

child-src

child-src 指定定义了 web workers 以及嵌套的浏览上下文(如 <frame><iframe> )的源。推荐使用该指令,而不是被废弃的 frame-src 指令。对于 web workers,不符合要求的请求会被当做致命网络错误。

注意: 如果没有指定这条指令,浏览器会查询 default-src 指令。
​child-src source-list

connect-src

connect-src 指令定义了请求、XMLHttpRequest、WebSocket 和 EventSource 的连接来源。

注意: 如果没有指定这条指令,浏览器会查询 default-src 指令。
Note: Prior to Firefox 23, xhr-src was used in place of the connect-src directive and only restricted the use of XMLHttpRequest.
connect-src source-list

default-src

default-src 指令定义了那些没有被更精确指令指定的(默认)安全策略。该指令包含了以下指令:

  • child-src
  • connect-src
  • font-src
  • img-src
  • media-src
  • object-src
  • script-src
  • style-src
default-src source-list

font-src

The font-src directive specifies valid sources for fonts loaded using @font-face.

Note: If this directive is absent the user agent will look for the default-src directive.
font-src source-list

form-action

The form-action directive specifies valid endpoints for <form> submissions.

form-action source-list

frame-ancestors

The frame-ancestors directive specifies valid parents that may embed a page using the <frame> and <iframe> elements. This directive is not supported in the element or by the Content-Security-policy-Report-Only header field.

frame-ancestors source-list

frame-src

The frame-src  directive specifies valid sources for web workers and nested browsing contexts loading using elements such as <frame> and <iframe>.

Note: This directive is deprecated. Use child-src instead.
frame-src source-list

img-src

The img-src directive specifies valid sources of images and favicons. 

Note: If this directive is absent, the user agent will look for the default-src directive.
img-src source-list

media-src

The media-src directive specifies valid sources for loading media using the <audio> and <video> elements.

Note: If this directive is absent, the user agent will look for the default-src directive.
media-src source-list

object-src

The object-src directive specifies valid sources for the <object>, <embed>, and <applet> elements. 

Note: If this directive is absent, the user agent will look for the default-src directive.
object-src source-list

plugin-types

The plugin-types directive specifies the valid plugins that the user agent may invoke.

plugin-types type-list

referrer

The referrer directive specifies information in the referrer header for links away from a page.

​referrer value

reflected-xss

The reflected-xss directive instructs a user agent to activate or deactivate any heuristics used to filter or block reflected cross-site scripting attacks. Valid values are allow, block, and filterThis directive is not supported in the  element.

Note: This directive is ignored if it is contained in a meta element.
reflected-xss value

report-uri

The report-uri directive instructs the user agent to report attempts to violate the Content Security Policy. These violation reports consist of JSON documents sent via an HTTP POST request to the specified URI. See Using CSP violation reports for details. This directive is not supported in the  element.

report-uri uri

sandbox

The sandbox directive applies restrictions to a page's actions including preventing popups, preventing the execution of plugins and scripts, and enforcing a same-origin policy. This directive is not supported in the  element or by the Content-Security-policy-Report-Only header field.

sandbox value

script-src

 

The script-src directive specifies valid sources for JavaScript. When either the script-src or the default-src directive is included, inline script and eval() are disabled unless you specify 'unsafe-inline' and 'unsafe-eval', respectively.

Note: If this directive is absent the user agent will look for the default-src directive.
script-src source-list

style-src

The style-src directive specifies valid sources for stylesheets. This includes both externally-loaded stylesheets and inline use of the <style> element and HTML style attributes. Stylesheets from sources that aren't included in the source list are not requested or loaded. When either the style-src or the default-src directive is included, inline use of the <style> element and HTML style attributes are disabled unless you specify 'unsafe-inline'.

Note: If this directive is absent, the user agent will look for the default-src directive.
style-src source-list
Note: Firefox currently requires using the same URL scheme and port for the report-uri as the content being protected by Content Security Policy.

upgrade-insecure-requests

A Chrome-only policy that instructs user agents to treat all of a site's unsecure URL's (those serverd over HTTP) as though they have been replaced with secure URL's (those served over HTTPS). This directive is intended for web sites with large numbers of usecure legacy URL's that need to be rewritten. This feature was added in Chrome 43.0.

Specifications

Specification Status Comment
Content Security Policy Level 2
CSP directives
Candidate Recommendation Added base-uri, child-src, form-action, frame-ancestors, plugin-types, referrer, reflected-xss.
Content Security Policy 1.0
CSP directives
Candidate Recommendation Initial definition.

Browser compatibility

Feature Chrome Firefox (Gecko) Internet Explorer Opera Safari
Basic support

14 (X-Webkit-CSP)

25

4.0 (2.0) (X-Content-Security-Policy)

24.0 (24.0)

12 15

6 (X-Webkit-CSP)

7

base-uri          
child-src          
connect-src          
default-src          
font-src          
form-action 41 36.0 (36.0) ? ? ?
frame-ancestors 41 4.0 (2.0) ? ? ?
frame-src          
img-src     ? ? ?
media-src          
object-src          
plugin-types          
referrer          
reflected-xss          
report-uri          
sandbox          
script-src          
style-src          
Feature Android Firefox Mobile (Gecko) IE Mobile Opera Mobile Safari Mobile
Basic support (Yes) 4.0 (2.0) ? ? iOS 7.1
frame-ancestors ? 4.0 (2.0) ? ? ?
form-action ? 36.0 (36.0) ? ? ?

Specifications

Specification Status Comment
Content Security Policy Level 2.0 Candidate Recommendation Adds base-uri, child-src, form-action, frame-ancestors, plugin-types, referrer, reflected-xss, and report-uri. Deprecates frame-src.
Content Security Policy 1.0 Candidate Recommendation Defines connect-srcdefault-src, font-srcframe-srcimg-srcmedia-srcobjects-srcreport-uri,sandboxscript-src, and style-src.

See also

 

文档标签和贡献者

 此页面的贡献者: linzhixiong, springuper, ziyunfei, Breezewish
 最后编辑者: linzhixiong,