问题
My site is loading a third party library that loads all kinds of scripts to scrape the data from my site and send it to its own servers via XHR for analysis. I want to make a restriction such that my page can only talk to my servers and the one third party server, and no other connections would be made.
Im wondering if CSP connect-src would do that?
For example lets say my site is x.com and the third party is y.com
If y.com loads a script that sends data to y.com it is okay but not if it sends it to z.com
I have not started to implement this yet.
回答1:
It can be controlled in Content-Security-Policy header using connect-src
connect-src 'self' http://y.com https://y.com;
来源:https://stackoverflow.com/questions/58755429/can-csp-restrict-the-connections-of-dynamically-loaded-script