不换https,使用CSP(Content-Security-Policy)解决/缓解运营商dns劫持问题

时间:2021-1-8 作者:admin

The HTTP Content-Security-Policy response header allows web site administrators to control resources the user agent is allowed to load for a given page. With a few exceptions, policies mostly involve specifying server origins and script endpoints. This helps guard against cross-site scripting attacks (XSS).

For more information, see also this article on Content Security Policy (CSP).

Syntax

Content-Security-Policy: <policy-directive>; <policy-directive>

Directives

Fetch directives

Fetch directives control locations from which certain resource types may be loaded.

[`child-src`](/go/?target=https%3A%2F%2Fdeveloper.mozilla.org%2Fen-US%2Fdocs%2FWeb%2FHTTP%2FHeaders%2FContent-Security-Policy%2Fchild-src “The deprecated HTTP Content-Security-Policy (CSP) child-src directive defines the valid sources for web workers and nested browsing contexts loaded using elements such as and

connect-src

Restricts the URLs which can be loaded using script interfaces

default-src

Serves as a fallback for the other [fetch directives](/go/?target=https%3A%2F%2Fdeveloper.mozilla.org%2Fen-US%2Fdocs%2FGlossary%2FFetch_directive “fetch directives: CSP fetch directives are used in a Content-Security-Policy header and control locations from which certain resource types may be loaded. For instance, script-src allows developers to allow trusted sources of script to execute on a page, while font-src controls the sources of web fonts.”).

font-src

Specifies valid sources for fonts loaded using [`@font-face`](/go/?target=https%3A%2F%2Fdeveloper.mozilla.org%2Fen-US%2Fdocs%2FWeb%2FCSS%2F%40font-face “The @font-face CSS at-rule specifies a custom font with which to display text; the font can be loaded from either a remote server or the user’s own computer.”).

frame-src

Specifies valid sources for nested browsing contexts loading using elements such as [“](/go/?target=https%3A%2F%2Fdeveloper.mozilla.org%2Fen-US%2Fdocs%2FWeb%2FHTML%2FElement%2Fframe ” is an HTML element which defines a particular area in which another HTML document can be displayed. A frame should be used within a .”) and [`

img-src

Specifies valid sources of images and favicons.

manifest-src

Specifies valid sources of application manifest files.

media-src

Specifies valid sources for loading media using the [“](/go/?target=https%3A%2F%2Fdeveloper.mozilla.org%2Fen-US%2Fdocs%2FWeb%2FHTML%2FElement%2Faudio “The HTML element is used to embed sound content in documents. It may contain one or more audio sources, represented using the src attribute or the element: the browser will choose the most suitable one. It can also be the destination for streamed media, using a MediaStream.”) , [“](/go/?target=https%3A%2F%2Fdeveloper.mozilla.org%2Fen-US%2Fdocs%2FWeb%2FHTML%2FElement%2Fvideo “The HTML Video element () embeds a media player which supports video playback into the document.”) and [“](/go/?target=https%3A%2F%2Fdeveloper.mozilla.org%2Fen-US%2Fdocs%2FWeb%2FHTML%2FElement%2Ftrack “The HTML element is used as a child of the media elements and . It lets you specify timed text tracks (or time-based data), for example to automatically handle subtitles. The tracks are formatted in WebVTT format (.vtt files) — Web Video Text Tracks.”) elements.

object-src

Specifies valid sources for the [“](/go/?target=https%3A%2F%2Fdeveloper.mozilla.org%2Fen-US%2Fdocs%2FWeb%2FHTML%2FElement%2Fobject “The HTML element represents an external resource, which can be treated as an image, a nested browsing context, or a resource to be handled by a plugin.”), [“](/go/?target=https%3A%2F%2Fdeveloper.mozilla.org%2Fen-US%2Fdocs%2FWeb%2FHTML%2FElement%2Fembed “The HTML element embeds external content at the specified point in the document. This content is provided by an external application or other source of interactive content such as a browser plug-in.”), and [“](/go/?target=https%3A%2F%2Fdeveloper.mozilla.org%2Fen-US%2Fdocs%2FWeb%2FHTML%2FElement%2Fapplet “The obsolete HTML Applet Element () embeds a Java applet into the document; this element has been deprecated in favor of .”) elements.

prefetch-src

Specifies valid sources to be prefetched or prerendered.

[`script-src`](/go/?target=https%3A%2F%2Fdeveloper.mozilla.org%2Fen-US%2Fdocs%2FWeb%2FHTTP%2FHeaders%2FContent-Security-Policy%2Fscript-src “The HTTP Content-Security-Policy (CSP) script-src directive specifies valid sources for JavaScript. This includes not only URLs loaded directly into

声明:本文内容由互联网用户自发贡献自行上传,本网站不拥有所有权,未作人工编辑处理,也不承担相关法律责任。如果您发现有涉嫌版权的内容,欢迎进行举报,并提供相关证据,工作人员会在5个工作日内联系你,一经查实,本站将立刻删除涉嫌侵权内容。