This document describes W3C Content Security Policy (CSP. As the name suggests, this specification is related to content security. It is mainly used to define the resources that can be loaded on a page to reduce the occurrence of XSS.
Chrome extension has introduced CSP, which is defined by the content_security_policy field in manifest. json. Some modern browsers also support defining CSPs through response headers. The following describes how to use CSP through the response header. For details about how to use CSP in Chrome extension, refer to the official Chrome documentation.
Browser compatibility
Early Chrome supports CSP through X-WebKit-CSP response headers, while firefox and IE support X-Content-Security-Policy, chrome 25 and Firefox23 start to support standard Content-Security-Policy, as shown in the following table.
Response Header |
Chrome |
Firefox |
Safari |
IE |
Content-Security-Policy |
25 + |
23 + |
- |
- |
X-Content-Security-Policy |
- |
4.0 + |
- |
10.0 (limited) |
X-Webkit-CSP |
14 + |
- |
6 + |
- |
For more information about CSP support in the browser, see CanIUse.
How to Use
To use CSP, you only need the server to output a response header similar to this:
Content-Security-Policy: default-src 'self' |
Default-src is a CSP command. Multiple commands are separated by semicolons. 'self 'is the command value. Multiple command values are separated by spaces. Currently, these CSP commands are available:
Command |
Command value example |
Description |
Default-src |
'Self 'cnd.a.com |
Defines the default loading policies for all types of resources (js, image, css, web font, ajax request, iframe, multimedia, etc.). If no policy is defined for a type of resource, use the default one. |
Script-src |
'Self 'js.a.com |
Defines the loading policy for JavaScript. |
Style-src |
'Self 'css.a.com |
Define a style-based loading policy. |
Img-src |
'Self 'img.a.com |
Define an image loading policy. |
Connect-src |
'Self' |
Load policies for Ajax, WebSocket, and other requests. If not, the browser simulates a 400 response. |
Font-src |
Font.a.com |
Load policy for Web Font. |
Object-src |
'Self' |
Loading policies for flash and Other plug-ins introduced by tags such as <object>, <embed>, or <applet>. |
Media-src |
Media.a.com |
The loading policy for html multimedia introduced by tags such as <audio> or <video>. |
Frame-src |
'Self' |
The frame loading policy. |
Sandbox |
Allow-forms |
Enable sandbox for requested resources (similar to the sandbox attribute of iframe ). |
Report-uri |
/Report-uri |
Tell the browser which address to submit log information if the requested resource is not permitted by the policy. Specifically, if you only want your browser to report logs without blocking any content. You can use the Content-Security-Policy-Report-Only response header instead. |
The command value can be composed of the following content:
Command Value |
Command example |
Description |
* |
Img-src * |
Any content is allowed. |
'None' |
Img-src 'none' |
NO content is allowed. |
'Self' |
Img-src 'self' |
Allow content from the same source (the same protocol, domain name, and port ). |
Data |
Img-src data |
Allow data: Protocol (for example, base64 encoded image ). |
Www.a.com |
Img-src img.a.com |
Resources of the specified domain name can be loaded. |
* .A.com |
Img-src * .a.com |
Resources in any subdomain of a.com can be loaded. |
Https://img.com |
Img-src https://img.com |
Https resources of img.com can be loaded (Protocol needs to be matched ). |
Https: |
Img-src https: |
Https resources can be loaded. |
'Unsafe-inline' |
Script-src 'unsafe-inline' |
Allows loading of inline resources (such as common style attributes, onclick, inline js, and inline css ). |
'Unsafe-eval' |
Script-src 'unsafe-eval' |
Allows loading of dynamic js Code, such as eval (). |
From the above introduction, we can see that the CSP protocol can control a lot of content. In addition, if you do not specify 'unsafe-inline', all the inline styles and scripts on the page will not be executed. If you do not specify 'unsafe-eval ', dynamic code execution using new Function, setTimeout, and eval is not allowed on the page. After the page resource source is restricted, the risk of being XSS is indeed much smaller.
Of course, relying solely on CSP to prevent XSS is far from enough. It is hard to prevent all browsers from being supported. However, given the low development cost, there is no harm in addition. If you are worried that the impact is too large, you can collect logs that do not match the rules as follows. First observe the following:
Content-Security-Policy-Report-Only: script-src 'self' ; report-uri http: //test/ |
In this way, if the page contains inline JS, it will still be executed, but the browser will send a post request to the specified address, containing the following information:
{ "csp-report" :{ "document-uri" : "http://test/test.php" , "referrer" : "" , "violated-directive" : "script-src 'self'" , "original-policy" : "script-src 'self'; report-uri http://test/" , "blocked-uri" : "" }} |
CSP is introduced here first. Modern browsers support many security-related response headers, which will be introduced later.
Link: http://www.imququ.com/post/content-security-policy-reference.html