content-security-policy

Content Security Policy nonce does not apply to event handler attributes

阅读更多关于 Content Security Policy nonce does not apply to event handler attributes

问题 I am in the process of adding CSP headers to a site that has a long way to go before it can adopt a strict policy. There are quite a few inline scripts, so I am using nonce- to allow specific inline scripts. I have found that it doesn't work on the onload attribute of a script tag with src. Here's an example: // header: Content-Security-Policy: script-src self https: 'nonce-d3adbe3fed' <script async defer src="https://cdnjs.cloudflare.com/ajax/libs/underscore.js/1.9.1/underscore-min.js" nonce

Content Security Policy nonce does not apply to event handler attributes

阅读更多关于 Content Security Policy nonce does not apply to event handler attributes

“Content-Security-Policy”, “frame-ancestors *” from android_asset

阅读更多关于 “Content-Security-Policy”, “frame-ancestors *” from android_asset

问题 I am writing an Android-App, which loads a local webpage, and that page, posts to some inner iframe, which in reply will display data regarding that user. The remote site refuses to display on my android_asset/page.html because of: Refused to display 'https://example/foo/bar' in a frame because an ancestor violates the following Content Security Policy directive: "frame-ancestors *". My code is: mWebView.getSettings().setJavaScriptEnabled(true); mWebView.setWebViewClient(webViewClient);

iOS Refused to connect because it appears in neither the connect-src directive nor the default-src directive of the Content Security Policy

阅读更多关于 iOS Refused to connect because it appears in neither the connect-src directive nor the default-src directive of the Content Security Policy

问题 So I made a phonegap app which uses socket.io to do stuff. I have the following Content-Security-Policy (CSP) <meta http-equiv="Content-Security-Policy" content=" default-src * data: blob: ws: wss:; style-src * 'unsafe-inline'; script-src * 'unsafe-inline' 'unsafe-eval'; connect-src * ws: wss:;"> When I start the app on safari / iOS I get the following error: Refused to connect to ws://10.0.1.63:3000/socket.io/?EIO=3&transport=websocket&sid=xTaMJwP3rVy3UnIBAAAi because it appears in neither

iOS Refused to connect because it appears in neither the connect-src directive nor the default-src directive of the Content Security Policy

阅读更多关于 iOS Refused to connect because it appears in neither the connect-src directive nor the default-src directive of the Content Security Policy

HTTP安全响应头

阅读更多关于 HTTP安全响应头

最近在做安全扫描相关的工作，appscan扫描出来的一些项目，提示未添加安全头。于是在内网和google上到处搜了下。大致弄懂了。现在做个笔记吧。什么是安全响应头：现代浏览器提供了一些安全相关的响应头，使用这些响应头一般只需要修改服务器配置即可，不需要修改程序代码，成本很低。目的：保护用户的安全，也就是通常意义上的防止用户受到各种攻击，如XSS、CSRF。 1.Content-Security-Policy 中文名内容安全策略，简称CSP，主要的思想是通过内容来源白名单机制，使浏览器仅渲染或执行来自这些来源的资源。例如，如果我们仅信赖来自www.exapmle.com和自己服务器上的资源，我们可以通过以下配置来确定： Content-Security-Policy: default-src 'self' https://www.exapmle.com 这里我们使用default-src指令设置了默认资源的来源，当收到来自非本服务器或exapmle.com的站点内容时，由于白名单机制，将不会被执行。需要注意的是，default-src指令定义未指定的大多数指令的默认值。一般情况下，这适用于以 -src 结尾的任意指令。如果未设置诸如script-src等用于覆盖default-src，那么就会默认遵从default-src的设置。下面列出一些常见的指令： base-uri

Web 安全之内容安全策略 (CSP)

阅读更多关于 Web 安全之内容安全策略 (CSP)

内容安全策略 (CSP, Content Security Policy) 是一个附加的安全层，用于帮助检测和缓解某些类型的攻击，包括跨站脚本攻击 (XSS) 和数据注入等攻击。这些攻击可用于实现从数据窃取到网站破坏或作为恶意软件分发版本等用途。内容安全策略在现代浏览器中已经包含，使用的是 W3C CSP 1.0 标准中描述的 Content-Security-Policy 头部和指令。 #####那么如何应用？ CSP 可以由两种方式指定：HTTP Header 和 HTML。HTTP 是在 HTTP 由增加 Header 来指定，而 HTML 级别则由 Meta 标签指定。 CSP 有两类：Content-Security-Policy 和 Content-Security-Policy-Report-Only。（大小写无关） HTTP header : "Content-Security-Policy:" 策略 "Content-Security-Policy-Report-Only:" 策略 HTTP Content-Security-Policy 头可以指定一个或多个资源是安全的，而Content-Security-Policy-Report-Only则是允许服务器检查（非强制）一个策略。多个头的策略定义由优先采用最先定义的。 HTML Meta : <meta

Content Security Policy and Office UI Fabric

阅读更多关于 Content Security Policy and Office UI Fabric

问题 I've been trying to set up a CSP to work with Office UI Fabric React. Is it possible to get anything more secure than style-src 'unsafe-inline' ? We have a Create React App with TypeScript and we're using Office UI Fabric React to provide a consistent look and feel. Using csp-html-webpack-plugin and craco, when INLINE_RUNTIME_CHUNK=false is set it is possible to generate the CSP with hashes for styles and scripts for our own code. The problem occurs with Office UI Fabric React - it injects 7

Getting error while setting the content-security-policy using Angular4

阅读更多关于 Getting error while setting the content-security-policy using Angular4

问题 I am getting the following error while setting the content-security-policy using Angular4. Error: Refused to connect to 'ws://localhost:4200/sockjs-node/812/lxo2oeas/websocket' because it violates the following Content Security Policy directive: "default-src 'self' 'unsafe-eval'". Note that 'connect-src' was not explicitly set, so 'default-src' is used as a fallback. Uncaught TypeError: event.data.indexOf is not a function at receiveMessage (out.js:4) Here is my code: <!doctype html> <html

Content security policy blocking remote CSS background image

阅读更多关于 Content security policy blocking remote CSS background image

问题 A background image loaded from a remote server is being blocked by my CSP with the message Content Security Policy: The page's settings blocked the loading of a resource at self ("default-src * https://xxxxx.com"). Source: background-image: url('https://xxxxx.... Here's my CSP: <meta http-equiv="Content-Security-Policy" content="default-src * https://xxxxx.com; script-src * 'unsafe-eval' 'unsafe-inline'; img-src 'self' data:"> ...where xxxxx is obviously my domain. I assume it doesn't like

订阅 content-security-policy