??????????????W3C??Content Security Policy?????CSP????????壬????淶?????????й??????????????????????????Щ?????????XSS???????


????Chrome????????????CSP?????manifest.json?е?content_security_policy????????塣?Щ?????????????????????????CSP????????????????????????????????CSP??Chrome?????CSP????????ο?Chrome????????
???????????????
?????????Chrome?????X-WebKit-CSP?????????CSP?????firefox??IE?????X-Content-Security-Policy??Chrome25??Firefox23???????????Content-Security-Policy?????±??
???????? Chrome Firefox Safari IE
????Content-Security-Policy 25+ 23+ - -
????X-Content-Security-Policy - 4.0+ - 10.0????????
????X-Webkit-CSP 14+ - 6+ -
???????????????CSP???????????CanIUse??
??????????
????????CSP?????????????????????????????????
????Content-Security-Policy: default-src 'self'
????default-src??CSP?????????????????????’self’???????????????????????????????ЩCSP???
??????? ??????? ???
????default-src ‘self’ cnd.a.com ????????????????js??image??css??web font??ajax????iframe????y????????????????????????????????е???????????????????
????script-src ‘self’ js.a.com ???????JavaScript?????????
????style-src ‘self’ css.a.com ???????????????????
????img-src ‘self’ img.a.com ??????????????????
????connect-src ‘self’ ???Ajax??WebSocket?????????????????????????£?????????????????400???????
????font-src font.a.com ???Web Font?????????
????object-src ‘self’ ???<object>??<embed>??<applet>?????????flash?????????????
????media-src media.a.com ???<audio>??<video>?????????html??y??????????
????frame-src ‘self’ ???frame?????????
????sandbox allow-forms ??????????????sandbox????????iframe??sandbox???????
????report-uri /report-uri ????????????????????????????????????????????????????? ???????????????????????????????κ?????????????Content-Security-Policy-Report-Only???
????????????????????Щ????????
???????? ?????? ???
????img-src ?????κ??????
????‘none’ img-src ‘none’ ???????κ??????
????‘self’ img-src ‘self’ ??????????????????????????Э?顢???????????
????data img-src data ????data:Э?饗??base64???????????
????http://www.a.com">www.a.com img-src img.a.com ?????????????????????
????*.a.com img-src *.a.com ???????a.com?κ???????????
????https://img.com img-src https://img.com ???????img.com??https?????Э?????????
????https: img-src https: ???????https?????
????‘unsafe-inline’ script-src ‘unsafe-inline’ ???????inline????????糣????style?????onclick??inline js??inline css??????
????‘unsafe-eval’ script-src ‘unsafe-eval’ ?????????js????????eval()??
??????????????????????CSPЭ????????????????????????????????’unsafe-inline’????????????inline?????????????????У?????????’unsafe-eval’???????????????new Function??setTimeout??eval??????ж????????????????????????????XSS???????С?????
?????????????????CSP??????XSS???????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????£?
????Content-Security-Policy-Report-Only: script-src 'self'; report-uri http://test/
????????????????????inline??JS?????????У??????????????????????????post???????????????????
????{"csp-report":{"document-uri":"http://test/test.php"??"referrer":""??"violated-directive":"script-src 'self'"??"original-policy":"script-src 'self'; report-uri http://test/"??"blocked-uri":""}}