问题
I want to administratively prevent a whole class of XSS attacks by not allowing anything on my page to send XHR/XMLHttpRequest (or other?) requests to other domains than the domain hosting the page. Is that possible?
I thought I could do that with Cross-Origin Resource Sharing (CORS), but it seems I was wrong. If a page hosted on domain-a.com tries to make an XHR request to domain-b.com, CORS can be used on domain-b.com pages to control whether or not that is allowed.
So if something on the page at domain-a.com tries to make an XHR request to hackers-r-us.com that will be allowed, as long as hackers-r-us.com sets the appropriate CORS headers.
But is there anything I can set on the page on domain-a.com to disallow requests to other domains such as hackers-r-us.com regardless of CORS headers on hackers-r-us.com?
回答1:
Content Security Policy (CSP) — specifically the connect-src CSP directive.
CSP directives are specified using the Content-Security-Policy HTTP header, and enforced by browsers. The simplest example of a header that specifies a connect-src directive would be this:
Content-Security-Policy: connect-src 'self';
If you serve a document at https://example.com/foo/ with that, browsers will block any frontend JavaScript in the document from making requests to URLs at any origin other than its own ('self'); that is, browsers will restrict the allowed requests only to URLs starting with https://example.com.
- https://developer.mozilla.org/docs/Web/HTTP/Headers/Content-Security-Policy/connect-src has more details and examples.
- https://w3c.github.io/webappsec-csp/#directive-connect-src is the actual spec section where the browser requirements are defined; that section also has some example.
来源:https://stackoverflow.com/questions/60406933/prevent-xmlhttprequest-request-to-another-domain