What does it mean to set a Content Security Policy on response to a non-HTML request?

后端 未结 1 784
醉话见心
醉话见心 2021-02-20 03:17

I understand that I might set a CSP header for the main page of my site, say https://example.com, to restrict from where I can load scripts and other resources. But

相关标签:
1条回答
  • 2021-02-20 03:50

    The current CSP spec (version 2) says (emphasis mine):

    3.6. Policy applicability

    Policies are associated with an protected resource, and enforced or monitored for that resource. If a resource does not create a new execution context (for example, when including a script, image, or stylesheet into a document), then any policies delivered with that resource are discarded without effect. Its execution is subject to the policy or policies of the including context.

    CSPs only apply to resources that create a new execution context (i.e., a Web page), which includes only top-level documents, embedded objects like <iframe>s, and scripts loaded as Web Workers. If a resource is served over HTTP and that reource is not used in a way that creates a new execution context, the CSP has no effect.

    Therefore, your scripts will behave identically whether or not they are served with a Content-Security-Policy header.

    0 讨论(0)
提交回复
热议问题