CSP：不建议使用child-src和frame-src [英] CSP: child-src and frame-src deprecated

问题描述

1. 在CSP v2中已弃用 frame-src 。建议使用 child-src 。


2. 在CSP v3 frame-src 中，建议不要使用 child-src 已弃用。


3. 当前（2017年9月）Chrome：

1. In CSP v2 frame-src was deprecated. child-src is recommended to use instead.
2. In CSP v3 frame-src in undeprecated and child-src is deprecated.
3. Currently (sep 2017) Chrome:

不建议使用'child-src'指令，并将于2017年8月左右在M60中将其删除。请改用Workers的'script-src'指令。

The 'child-src' directive is deprecated and will be removed in M60, around August 2017. Please use the 'script-src' directive for Workers instead.

那么在现代（减去2个版本）浏览器中工作的指令的正确集合是什么？看起来 frame-src + script-src 够了吗？但是 script-src 应该是什么呢？

So what's correct collection of directives to work in modern (minus 2 versions) browsers? Looks like frame-src + script-src is enough? But what should be in script-src then?

PS：过分淘汰甚至合法吗？

PS: is it even legal to "undeprecate" stuff?

推荐答案

2018-12-20更新

child-src 在此期间被弃用了…因此，现在不再废弃 frame-src 和 child-src 。但是原始答案在这里的指导仍然适用：

child-src has in the meantime been un-deprecated… So now neither frame-src nor child-src are deprecated any longer. But the guidance from the original answer here still holds true:

那么，在现代（减去2版本）浏览器中工作的指令的正确集合是什么？

So what's correct collection of directives to work in modern (minus 2 versions) browsers?

看来，答案取决于您究竟要为其指定政策。

It seems like the answer to that depends on what exactly you want to specify a policy for.

1. 如果您的需求很简单，并且不想为 iframe 元素和脚本制定不同的策略，然后只需使用 default-src 为这两者指定相同的策略即可。


2. 如果您的需求更加复杂并且想要一个针对与其他资源策略不同的 iframe 元素，而不是使用 frame-src 的元素。同样，如果您想要的脚本策略与其他资源的策略不同，请使用 script-src 。


3. 如果不想让工作脚本的策略与其他脚本的策略不同，那么您只需提供 script-src 策略，就可以停在那里。


4. 如果您要做想要与其他脚本不同的工作脚本策略，则还需要提供 script-src 政策，也提供 worker-src 政策。 worker-src 不会影响浏览器，但是当浏览器确实增加支持时，它将面向未来。

1. If your needs are simple and so you don’t want to have different policies for iframe elements and scripts, then just use default-src to specify the same policy for both.
2. If your needs are more complicated and you want a policy for iframe elements that’s different than the policy for other resources, than use frame-src. Similarly, if you want a policy for scripts that’s different than the policy for other resources, then use script-src.
3. If you don’t want a policy for worker scripts different than the policy for other scripts, then you’re fine just providing a script-src policy, and can stop there.
4. If you do want a policy for worker scripts different than the policy for other scripts, then along with providing a script-src policy, provide a worker-src policy too. The worker-src one won’t effect browsers yet, but will future-proof things for when browsers do add support.

---

请参见 https://github.com/w3c/webappsec-csp/issues/239#issuecomment-336135344 如果您对 child-src 不建议使用：

---

See https://github.com/w3c/webappsec-csp/issues/239#issuecomment-336135344 if you’re curious about the rationale for child-src being un-deprecated:

我希望其他供应商可以实施 worker-src ，这样我们就可以降低 child-src 的使用率并将其从平台上删除，但是看起来这种情况发生得不够快（删除Chrome的怪异的回退会破坏0.006％的页面浏览量上的工作量，这不是很大，但不是什么。）

I was hoping other vendors would implement worker-src so we could drive down usage of child-src and remove it from the platform, but it doesn't look like that's happening quickly enough (removing Chrome's weird fallbacks would break a worker load on 0.006% of page views, which is not huge, but not nothing).

---

2017-09-04答案

它比问题中描述的还要复杂，因为CSP3 pec还引入了 worker-src 指令。但是规范提供了以下指南：

It’s even a bit more complicated than what’s described in the question, because the CSP3 spec also introduces the worker-src directive. But the spec gives the following guidance:

child-src 模型已被实质性更改：

The child-src model has been substantially altered:

1. 在CSP Level 2中已弃用的 frame-src 指令已被弃用，但仍继续使用 child-src （如果不存在的话）（顺应 default-src ）。


2. 添加了 worker-src 指令，如果不存在，则推迟到 script-src （同样会延迟）


3. child-src 现在已弃用。

1. The frame-src directive, which was deprecated in CSP Level 2, has been undeprecated, but continues to defer to child-src if not present (which defers to default-src in turn).
2. A worker-src directive has been added, deferring to script-src if not present (which likewise defers to default-src in turn).
3. child-src is now deprecated.

位于 https： //w3c.github.io/webappsec-csp/ ，这是编辑的草稿，但您应该始终根据当前的规范要求进行咨询。原因：您不能信任 https://www.w3.org/TR/CSP/保持最新状态（通常，您不能信任 https://www.w3.org/下的任何内容TR 是最新的），而编辑者的草稿则是浏览器实现者实际实现的目标（他们等不及要实现，直到在 https://www.w3.org/TR ）。

That’s in https://w3c.github.io/webappsec-csp/, which is an editor’s draft but is what you should always consult for current spec requirements. Reason: You can’t trust https://www.w3.org/TR/CSP/ to be up to date (and in general you can’t trust anything under https://www.w3.org/TR to be up to date), and editor’s drafts are what browser implementors actually implement from (they don’t wait to implement until something’s published under https://www.w3.org/TR).

无论如何，的原因不建议使用child-src 指令，因为其效果是指定为：

Anyway, the reason the child-src directive was deprecated is that its effect is specified as:

child-src 指令控制嵌套浏览上下文的创建（例如< iframe> 和< frame> 导航）和辅助执行上下文。

The child-src directive governs the creation of nested browsing contexts (e.g. <iframe> and <frame> navigations) and Worker execution contexts.

实践中的问题ce是： iframe 与辅助脚本有很大不同。这就是为什么 worker-src 已添加，为什么不推荐使用 frame-src （因为您确实希望单独的指令为 iframe 元素），以及为什么不建议使用 child-src （因为您确实不想对两个 iframe都应用一项策略元素和辅助脚本）。

The problem with that in practice is: an iframe is very different than a worker script. So that’s why worker-src was added and why frame-src was un-deprecated (because you really do want a separate directive to specify policies for iframe elements), and why child-src was deprecated (because you really don’t want to apply one policy to both iframe elements and worker scripts).

那么在现代（减2版本）中工作的正确指令集是什么？浏览器？

So what's correct collection of directives to work in modern (minus 2 versions) browsers?

答案似乎取决于您究竟要为其指定策略。

It seems like the answer to that depends on what exactly you want to specify a policy for.

1. 如果您的需求很简单，因此不想为 iframe 元素和脚本制定不同的策略，则只需使用 default-src 为两者指定相同的策略即可。


2. 如果您的需求更加复杂并且需要一个策略对于与其他资源策略不同的 iframe 元素，与使用 frame-src 的元素不同。同样，如果您想要的脚本策略与其他资源的策略不同，请使用 script-src 。


3. 如果不想让工作脚本的策略与其他脚本的策略不同，那么您只需提供 script-src 策略，就可以停在那里。


4. 如果您要做想要与其他脚本不同的工作脚本策略，则还需要提供 script-src 政策，也提供 worker-src 政策。 worker-src 不会影响浏览器，但是当浏览器确实增加支持时，它将面向未来。

1. If your needs are simple and so you don’t want to have different policies for iframe elements and scripts, then just use default-src to specify the same policy for both.
2. If your needs are more complicated and you want a policy for iframe elements that’s different than the policy for other resources, than use frame-src. Similarly, if you want a policy for scripts that’s different than the policy for other resources, then use script-src.
3. If you don’t want a policy for worker scripts different than the policy for other scripts, then you’re fine just providing a script-src policy, and can stop there.
4. If you do want a policy for worker scripts different than the policy for other scripts, then along with providing a script-src policy, provide a worker-src policy too. The worker-src one won’t effect browsers yet, but will future-proof things for when browsers do add support.

PS：弃用物品是否合法？

PS: is it even legal to "undeprecate" stuff?

是的。尽管我不记得曾见过任何其他规范或工作组这样做过，但在这种情况下这是正确的做法-因为CSP规范作者和工作组意识到 child-src 是一个错误， frame-src 实际上是必需的，并且弃用它是一个错误。

Yes. Though I can’t remember ever seeing any other spec or working group do that, it was the right thing to do in this case—because the CSP spec authors and working group realized that child-src was a mistake, and frame-src was actually necessary and it was a mistake to deprecate it.

因此他们可以相对迅速地消除那些错误。在这种情况下它起作用的部分原因是： frame-src 的使用时间不够长，浏览器无法放弃对它的支持，并且还有很多Web开发人员从来没有开始使用 child-src 。

So they unwound those mistakes—and relatively quickly. And part of why it worked in this case is: frame-src wasn’t deprecated long enough for browsers to ever get around to dropping support for it, and also a lot of web developers never got around to using child-src to begin with.

这篇关于CSP：不建议使用child-src和frame-src的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！