Content-Security-Policy
header with one or more directives that are whitelists. Version 1.0 supports the following directives:default-src
script-src
object-src
style-src
img-src
media-src
frame-src
font-src
connect-src
default-src
lists the allowed default sources for the remaining directives. If any directive is not specified in the header, the policy is applied according to the default-src
list.self
used to reference the current domain.none
is applied. For example, object-src 'none'
prohibits the download of any plug-ins, including Java and Flash.Content-Security-Policy: default-src 'self';
http://cdn.example.com/path
), you can only list the domains themselves ( http://cdn.example.com
). But wildcards are supported, so you can describe all the subdomains at once ( http://*.example.com
).default-src
and style-src
contain the keyword self
, and script-src
and style-src
contain the domain http://cdn.example.com
: Content-Security-Policy: default-src 'self'; style-src 'self' http://cdn.example.com; script-src http://cdn.example.com;
data: img-src 'data';
keyword data: img-src 'data';
.script-src
and style-src
directives support the keywords unsafe-inline
and unsafe-eval
.unsafe-inline
used to resolve inline styles and scripts style
and script
. This keyword also allows CSS style
inline attributes, inline event handlers (onclick, onmouseover, etc.) and javascript links like a href="javascript:foobar()"
. CSP works on the principle “if something is not mentioned, it means prohibited”. That is, in the absence of the unsafe-inline
all inline tags style
and script
will be blocked.unsafe-eval
used only in the script-src
directive. If this keyword is not specified, then any dynamic code evaluation is blocked, including the use of eval
, the constructor of functions, and the transfer of strings in setTimeout
and setInterval
.X-Content-Security-Policy
header. Apparently, only the optional sandbox directive is supported.report-uri
. Every time a CSP violation is registered, the directive sends an HTTP POST request to the specified address. The request body contains a JSON object, which contains all the necessary details. Content-Security-Policy: default-src 'self'; report-uri: https://example.com/csp/report;
report-uri
will send a request with the following JSON: { "csp-report": { "blocked-uri:" "http://ajax.googleapis.com" "document-uri:" "http://example.com/index.html" "original-policy": "default-src 'self'; report-uri http://example.com/csp/report" "referrer:" "" "violated-directive": "default-src 'self'" } }
Content-Security-Policy-Report-Only
instead of the Content-Security-Policy
header. In this case, the CSP will log violations without any blocking of resources. You can even use both Content-Security-Policy
and Content-Security-Policy-Report-Only
at the same time, running around certain configurations to the second. # Apache config Header set Content-Security-Policy "default-src 'self';" # IIS Web.config <system.webServer> <httpProtocol> <customHeaders> <add name="Content-Security-Policy" value="default-src 'self';" /> </customHeaders> </httpProtocol> </system.webServer> # nginx conf file add_header Content-Security-Policy "default-src 'self';";
# PHP example header("Content-Security-Policy: default-src 'self'");
# Node.js example request.setHeader("Content-Security-Policy", "default-src 'self'");
default-src *; script-src https://*.facebook.com http://*.facebook.com https://*.fbcdn.net http://*.fbcdn.net *.facebook.net *.google-analytics.com *.virtualearth.net *.google.com 127.0.0.1:* *.spotilocal.com:* 'unsafe-inline' 'unsafe-eval' https://*.akamaihd.net http://*.akamaihd.net *.atlassolutions.com; style-src * 'unsafe-inline'; connect-src https://*.facebook.com http://*.facebook.com https://*.fbcdn.net http://*.fbcdn.net *.facebook.net *.spotilocal.com:* https://*.akamaihd.net wss://*.facebook.com:* ws://*.facebook.com:* http://*.akamaihd.net https://fb.scanandcleanlocal.com:* *.atlassolutions.com http://attachment.fbsbx.com https://attachment.fbsbx.com;
connect-src
. default-src https:; connect-src https:; font-src https: data:; frame-src https: twitter:; frame-ancestors https:; img-src https: data:; media-src https:; object-src https:; script-src 'unsafe-inline' 'unsafe-eval' https:; style-src 'unsafe-inline' https:; report-uri https://twitter.com/i/csp_report?a=NVQWGYLXFVZXO2LGOQ%3D%3D%3D%3D%3D%3D&ro=false;
https:
is written everywhere, that is, SSL is enforced.base-uri
: allows a document to manipulate the page's base URI .frame-src
, child-src
is now used.form-action
: allows the document to place HTML forms.frame-ancestors
: governs how to embed this document in other documents. It works like a X-Frame-Options header, which is likely to be replaced.plugin-types
: allows downloading specific plugins - Flash, Java, Silverlight, etc.effective-directive
: here is the name of the directive that was violated.status-code
: HTTP status code of the requested resource. If the violating request was not made via HTTP, then put 0. Content-Security-Policy: default-src 'self'; script-src 'self' 'nonce-Xiojd98a8jd3s9kFiDi29Uijwdu';
<script> console.log("Script won't run as it doesn't contain a nonce attribute"); </script> <script nonce="Eskdikejidojdk978Ad8jf"> console.log("Script won't run as it has an invalid nonce"); </script> <script nonce="Xiojd98a8jd3s9kFiDi29Uijwdu"> console.log('Script runs as the nonce matches the nonce in the HTTP header'); </script>
style-src
or script-src
directives. Before rendering the page, the browser calculates the hash of the script / style, and if it matches the specified one, then execution is allowed.console.log('Hello, SitePoint');
using the Sha256 (base64) algorithm. Content-Security-Policy: default-src 'self'; script-src 'self' 'sha256-V8ghUBat8RY1nqMBeNQlXGceJ4GMuwYA55n3cYBxxvs=';
< sript >console.log('Hello, SitePoint');< /sript >
<sript> console.log('Hello, SitePoint');</sript>
<sript>console.log('Hello, SitePoint'); </sript>
Source: https://habr.com/ru/post/271575/
All Articles