CSP is introduced

CSP is designed to reduce (note: reduce, not eliminate) cross-site scripting attacks.

A CSP is essentially a whitelist where the developer explicitly tells the browser which external resources can be loaded and executed. We just need to configure the rules, how to intercept is up to the browser implementation. We can minimize XSS attacks in this way.

Several Content-Security-Policy Settings (set in the response header)

  • By default, the CSP policy does not allow the use of data URIs resources. If the CSP policy does allow the use of data URIs resources, the display must be specified, such as img-src ‘self’ data:
  • Script-src: setting “unsafe-inline” when processing script resources prevents inline Js code from being executed. Use the unsafe – eval switch can prohibit the eval, setTimeout and setInterval function to perform.
  • Object-src: Controls the embed,code,archive applet and other objects.
  • Style-src: Controls URI resources introduced in the @import and rel stylesheets. Setting unsafe-inline rules allows browsers to reject parsing of internal and inline style definitions. Does not prevent linking to external stylesheets.
  • Img-src: Controls the connection of image resources, including the SRC attribute of the img tag, as well as the URL () and image() methods in CSS3, and the href attribute in the link tag (when rel is set to an image-related value, such as an HTML-supported icon)
  • Media-src: Controls the SRC attribute of the external linked resources of the media type, such as the video, audio, source, and track tags. Frame-src: controls the connection of external pages contained in an embedded frame: iframe or a frame.
  • Font-src: controls @font-face in the CSS
  • Connect-src: controls open(), WebSocket, and EventSource in XMLHttpRequest
  • Inline script and eval functions (including eval, setInterval, setTimeout, and new Function()) are not executed. XBLS are only allowed to be requested by chrome: and Resource: URIs. Other XBLS, such as those specified by -moz-binding in CSS, are not allowed to be executed.

CSP can usually be turned on in two ways

  1. Set content-security-policy in the HTTP Header

  • Default-src ‘self’ : only resources of this site are allowed to be loaded

  • Img-src https://* : only HTTPS images can be loaded

  • Child-src ‘none’ : allows loading of any source frame

For example: the Content of ws-security - the Policy:default- the SRC 'self'Copy the code
  1. How to set the meta tag
<meta http-equiv="Content-Security-Policy" content="script-src 'self'; object-src 'none'; style-src cdn.example.org third-party.org; child-src https:">
Copy the code

When enabled, external resources that do not comply with CSP are blocked from loading.

Of course, there are many more properties that can be set, and you can learn by looking at the documentation, but I won’t go over the other properties here.

In this case, as long as the developer has configured the right rules, the attacker cannot execute the site’s attack code even if the site is vulnerable, and CSP compatibility is good.

Reference:

www.zhihu.com/question/21…