Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

【Q267】CSP 是干什么用的了 #269

Open
shfshanyue opened this issue Apr 6, 2020 · 3 comments
Open

【Q267】CSP 是干什么用的了 #269

shfshanyue opened this issue Apr 6, 2020 · 3 comments
Labels
dom http

Comments

@shfshanyue
Copy link
Owner

No description provided.

@shfshanyue shfshanyue added the js label Apr 6, 2020
@rex-ll
Copy link

rex-ll commented Apr 15, 2020

http://www.ruanyifeng.com/blog/2016/09/csp.html

@shfshanyue
Copy link
Owner Author

shfshanyue commented May 6, 2020
edited
Loading

CSP 只允许加载指定的脚本及样式最大限度地防止 XSS 攻击,是解决 XSS 的最优解。CSP 的设置根据加载页面时 http 的响应头 Content Security Policy 在服务器端控制。

  1. 外部脚本可以通过指定域名来限制:Content-Security-Policy: script-src 'self'self 代表只加载当前域名
  2. 如果网站必须加载内联脚本 (inline script) ,则可以提供一个 nonce 才能执行脚本,攻击者则无法注入脚本进行攻击。Content-Security-Policy: script-src 'nonce-xxxxxxxxxxxxxxxxxx'

通过 devtools -> network 可见 github 的 CSP 配置如下:

Content-Security-Policy: default-src 'none'; 
  base-uri 'self'; 
  block-all-mixed-content;
  connect-src 'self' uploads.github.com www.githubstatus.com collector.githubapp.com api.github.com www.google-analytics.com github-cloud.s3.amazonaws.com github-production-repository-file-5c1aeb.s3.amazonaws.com github-production-upload-manifest-file-7fdce7.s3.amazonaws.com github-production-user-asset-6210df.s3.amazonaws.com cdn.optimizely.com logx.optimizely.com/v1/events wss://alive.github.com; 
  font-src github.githubassets.com; 
  form-action 'self' github.com gist.github.com; 
  frame-ancestors 'none'; 
  frame-src render.githubusercontent.com; 
  img-src 'self' data: github.githubassets.com identicons.github.com collector.githubapp.com github-cloud.s3.amazonaws.com *.githubusercontent.com; 
  manifest-src 'self'; 
  media-src 'none'; 
  script-src github.githubassets.com; 
  style-src 'unsafe-inline' github.githubassets.com; 
  worker-src github.com/socket-worker.js gist.github.com/socket-worker.js

相关链接

@zzetao
Copy link

zzetao commented May 20, 2020
edited
Loading

Content Security Policy (CSP)

介绍:

  1. 解决 XSS 最优办法
  2. 可以设置信任域名才可以访问 script / audio / video / image ...

防止 XSS 例子:
攻击者通过 恶意脚本(假设有执行外部脚本) 注入到系统内,显示给访问用户,以此来获取用户信息
我们可以通过 CSP 来设置信任域名才可以执行 .js 脚本。

如何设置:

  1. HTTP 请求头
  2. Meta 标签

MDN:https://developer.mozilla.org/zh-CN/docs/Web/HTTP/CSP

兼容性:IE >= 10

@shfshanyue shfshanyue added the dom label Jul 1, 2020
@shfshanyue shfshanyue added http and removed js labels May 28, 2021
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
dom http
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@zzetao @shfshanyue @rex-ll