Javascript 允许所有内容安全策略?
声明:本页面是StackOverFlow热门问题的中英对照翻译,遵循CC BY-SA 4.0协议,如果您需要使用它,必须同样遵循CC BY-SA许可,注明原文地址和作者信息,同时你必须将它归于原作者(不是我):StackOverFlow
原文地址: http://stackoverflow.com/questions/35978863/
Warning: these are provided under cc-by-sa 4.0 license. You are free to use/share it, But you must attribute it to the original authors (not me):
StackOverFlow
Allow All Content Security Policy?
提问by joshlf
Is it possible to configure the Content-Security-Policy to not block anything at all? I'm running a computer security class, and our web hacking project is running into issues on newer versions of Chrome because without any CSP headers, it's automatically blocking certain XSS attacks.
是否可以将 Content-Security-Policy 配置为根本不阻止任何内容?我正在运行计算机安全课程,我们的网络黑客项目在较新版本的 Chrome 上遇到问题,因为没有任何 CSP 标头,它会自动阻止某些 XSS 攻击。
回答by Rainb
For people who still want an even more permissive posts, because the other answers were just not permissive enough, and they must work with google chrome for which *is just not enough:
对于仍然想要更宽松的帖子的人,因为其他答案不够宽松,他们必须使用谷歌浏览器,这*还不够:
default-src * data: blob: filesystem: about: ws: wss: 'unsafe-inline' 'unsafe-eval' 'unsafe-dynamic';
script-src * data: blob: 'unsafe-inline' 'unsafe-eval';
connect-src * data: blob: 'unsafe-inline';
img-src * data: blob: 'unsafe-inline';
frame-src * data: blob: ;
style-src * data: blob: 'unsafe-inline';
font-src * data: blob: 'unsafe-inline';
回答by zerologiko
It's not secure at all, but as staring point the real allow all policyis:
它根本不安全,但作为起点, 真正的允许所有政策是:
default-src * 'unsafe-inline' 'unsafe-eval'; script-src * 'unsafe-inline' 'unsafe-eval'; connect-src * 'unsafe-inline'; img-src * data: blob: 'unsafe-inline'; frame-src *; style-src * 'unsafe-inline';
See: https://content-security-policy.com/and this CSP migration guide.
回答by oreoshake
The best way would be not applying any policy.
最好的方法是不应用任何政策。
But to answer your question, an "allow all policy" would probably be:
但要回答您的问题,“允许所有政策”可能是:
default-src * 'unsafe-inline' 'unsafe-eval' data: blob:;
Note: untested
注:未经测试
回答by Manik Malhotra
Here's the htaccess code to allow everything in CSP
这是允许 CSP 中的所有内容的 htaccess 代码
Header add Content-Security-Policy "default-src * data: blob: filesystem: about: ws: wss: 'unsafe-inline' 'unsafe-eval' 'unsafe-dynamic'; script-src * data: blob: 'unsafe-inline' 'unsafe-eval'; connect-src * data: blob: 'unsafe-inline'; img-src * data: blob: 'unsafe-inline'; frame-src * data: blob: ; style-src * data: blob: 'unsafe-inline'; font-src * data: blob: 'unsafe-inline';"
