java 内容安全策略:页面的设置阻止了自己加载资源?
声明:本页面是StackOverFlow热门问题的中英对照翻译,遵循CC BY-SA 4.0协议,如果您需要使用它,必须同样遵循CC BY-SA许可,注明原文地址和作者信息,同时你必须将它归于原作者(不是我):StackOverFlow
原文地址: http://stackoverflow.com/questions/33453405/
Warning: these are provided under cc-by-sa 4.0 license. You are free to use/share it, But you must attribute it to the original authors (not me):
StackOverFlow
Content Security Policy: The page's settings blocked the loading of a resource at self?
提问by emilly
I have Java-based based web application running on Tomcat6. My application is running on localhost and port 9001.
我在Tomcat6上运行基于 Java 的 Web 应用程序。我的应用程序在本地主机和端口 9001 上运行。
To make my application more secure and to reduce the risk of XSSattacks, I added the header Content-Security-Policywith value default-src * 'unsafe-inline' 'unsafe-eval';script-src 'self'. With this I want to allow the web application to load the JavaScript files from same domain.
为了使我的应用程序更安全并降低XSS攻击的风险,我添加了Content-Security-Policy值为default-src * 'unsafe-inline' 'unsafe-eval';script-src 'self' 的标头。有了这个,我想允许 Web 应用程序加载来自同一域的 JavaScript 文件。
For other resources it continues to load in the same fashion as it was without this header.
对于其他资源,它会继续以与没有此标头时相同的方式加载。
But I am getting the below error.
但我收到以下错误。
Content Security Policy: The page's settings blocked the loading of a resource at self ("script-src http://localhost:9001").
采纳答案by kuporific
The Content Security Policy header is a white list of trusted sources.
内容安全策略标头是受信任来源的白名单。
The default-srclist is the list used by all other *-srclists. If it is not present, the default is default-src: *which means "all content is allowed from anywhere", which does not provide any protection against XSS.
该default-src列表是所有其他列表使用的*-src列表。如果不存在,则默认为default-src: *“允许来自任何地方的所有内容”,这不提供任何针对 XSS 的保护。
Therefore, you should start with
因此,你应该从
default-src none, so that all content is disallowed, ordefault-src 'self', so that only content from your domain is allowed.
default-src none, 从而禁止所有内容,或default-src 'self',以便只允许来自您域的内容。
After that, other *-srccan be replaced as needed. For example, the following trusts self for everything except images, and images are only allowed from example.com (but not from 'self'):
之后,其他*-src可以根据需要更换。例如,以下对除图像以外的所有内容都信任 self,并且图像只允许来自 example.com(但不能来自“self”):
default-src 'self'; img-src example.com;
In your question, you specify default-src * 'unsafe-inline' 'unsafe-eval';which might be causing the issue since *already implies 'unsafe-inline'and 'unsafe-eval'. It's like saying "allow everything and allow inline and allow eval".
在您的问题中,您指定default-src * 'unsafe-inline' 'unsafe-eval';了可能导致问题的原因,因为*已经暗示了'unsafe-inline'和'unsafe-eval'。这就像说“允许所有内容并允许内联并允许 eval”。
Also note that CSP is supported via the X-Content-Security-Headerin IE >= 8.
另请注意,通过X-Content-Security-HeaderIE >= 8支持 CSP 。
Sources:
资料来源:
回答by M Sach
Try:
尝试:
default-src * 'unsafe-inline' 'unsafe-eval';script-src 'self' 'unsafe-inline' 'unsafe-eval'
