CSP:不建议使用child-src和frame-src [英] CSP: child-src and frame-src deprecated
问题描述
- 在CSP v2中已弃用 frame-src 。建议使用 child-src 。
- 在CSP v3 frame-src 中,建议不要使用 child-src 已弃用。
- 当前(2017年9月)Chrome:
- In CSP v2 frame-src was deprecated. child-src is recommended to use instead.
- In CSP v3 frame-src in undeprecated and child-src is deprecated.
- Currently (sep 2017) Chrome:
不建议使用'child-src'指令,并将于2017年8月左右在M60中将其删除。请改用Workers的'script-src'指令。
The 'child-src' directive is deprecated and will be removed in M60, around August 2017. Please use the 'script-src' directive for Workers instead.
那么在现代(减去2个版本)浏览器中工作的指令的正确集合是什么?看起来 frame-src + script-src 够了吗?但是 script-src 应该是什么呢?
So what's correct collection of directives to work in modern (minus 2 versions) browsers? Looks like frame-src + script-src is enough? But what should be in script-src then?
PS:过分淘汰甚至合法吗?
PS: is it even legal to "undeprecate" stuff?
推荐答案
2018-12-20更新
child-src
在此期间被弃用了…因此,现在不再废弃 frame-src
和 child-src
。但是原始答案在这里的指导仍然适用:
child-src
has in the meantime been un-deprecated… So now neither frame-src
nor child-src
are deprecated any longer. But the guidance from the original answer here still holds true:
那么,在现代(减去2版本)浏览器中工作的指令的正确集合是什么?
So what's correct collection of directives to work in modern (minus 2 versions) browsers?
看来,答案取决于您究竟要为其指定政策。
It seems like the answer to that depends on what exactly you want to specify a policy for.
- 如果您的需求很简单,并且不想为
iframe
元素和脚本制定不同的策略,然后只需使用default-src
为这两者指定相同的策略即可。 - 如果您的需求更加复杂并且想要一个针对与其他资源策略不同的
iframe
元素,而不是使用frame-src
的元素。同样,如果您想要的脚本策略与其他资源的策略不同,请使用script-src
。 - 如果不想让工作脚本的策略与其他脚本的策略不同,那么您只需提供
script-src
策略,就可以停在那里。 - 如果您要做想要与其他脚本不同的工作脚本策略,则还需要提供
script-src
政策,也提供worker-src
政策。worker-src
不会影响浏览器,但是当浏览器确实增加支持时,它将面向未来。
- If your needs are simple and so you don’t want to have different policies for
iframe
elements and scripts, then just usedefault-src
to specify the same policy for both. - If your needs are more complicated and you want a policy for
iframe
elements that’s different than the policy for other resources, than useframe-src
. Similarly, if you want a policy for scripts that’s different than the policy for other resources, then usescript-src
. - If you don’t want a policy for worker scripts different than the policy for other scripts, then you’re fine just providing a
script-src
policy, and can stop there. - If you do want a policy for worker scripts different than the policy for other scripts, then along with providing a
script-src
policy, provide aworker-src
policy too. Theworker-src
one won’t effect browsers yet, but will future-proof things for when browsers do add support.
请参见 https://github.com/w3c/webappsec-csp/issues/239#issuecomment-336135344 如果您对 child-src
不建议使用:
See https://github.com/w3c/webappsec-csp/issues/239#issuecomment-336135344 if you’re curious about the rationale for child-src
being un-deprecated:
我希望其他供应商可以实施
worker-src
,这样我们就可以降低child-src
的使用率并将其从平台上删除,但是看起来这种情况发生得不够快(删除Chrome的怪异的回退会破坏0.006%的页面浏览量上的工作量,这不是很大,但不是什么。)
I was hoping other vendors would implement
worker-src
so we could drive down usage ofchild-src
and remove it from the platform, but it doesn't look like that's happening quickly enough (removing Chrome's weird fallbacks would break a worker load on 0.006% of page views, which is not huge, but not nothing).
2017-09-04答案
它比问题中描述的还要复杂,因为CSP3 pec还引入了 worker-src
指令。但是规范提供了以下指南:
It’s even a bit more complicated than what’s described in the question, because the CSP3 spec also introduces the worker-src
directive. But the spec gives the following guidance:
child-src
模型已被实质性更改:
The
child-src
model has been substantially altered:
- 在CSP Level 2中已弃用的
frame-src
指令已被弃用,但仍继续使用child-src
(如果不存在的话)(顺应default-src
)。 - 添加了
worker-src
指令,如果不存在,则推迟到script-src
(同样会延迟) -
child-src
现在已弃用。
- The
frame-src
directive, which was deprecated in CSP Level 2, has been undeprecated, but continues to defer tochild-src
if not present (which defers todefault-src
in turn). - A
worker-src
directive has been added, deferring toscript-src
if not present (which likewise defers to default-src in turn). child-src
is now deprecated.
位于 https: //w3c.github.io/webappsec-csp/ ,这是编辑的草稿,但您应该始终根据当前的规范要求进行咨询。原因:您不能信任 https://www.w3.org/TR/CSP/保持最新状态(通常,您不能信任 https://www.w3.org/下的任何内容TR 是最新的),而编辑者的草稿则是浏览器实现者实际实现的目标(他们等不及要实现,直到在 https://www.w3.org/TR )。
That’s in https://w3c.github.io/webappsec-csp/, which is an editor’s draft but is what you should always consult for current spec requirements. Reason: You can’t trust https://www.w3.org/TR/CSP/ to be up to date (and in general you can’t trust anything under https://www.w3.org/TR to be up to date), and editor’s drafts are what browser implementors actually implement from (they don’t wait to implement until something’s published under https://www.w3.org/TR).
无论如何,的原因不建议使用child-src
指令,因为其效果是指定为:
Anyway, the reason the child-src
directive was deprecated is that its effect is specified as:
child-src 指令控制嵌套浏览上下文的创建(例如
< iframe>
和< frame>
导航)和辅助执行上下文。
The child-src directive governs the creation of nested browsing contexts (e.g.
<iframe>
and<frame>
navigations) and Worker execution contexts.
实践中的问题ce是: iframe
与辅助脚本有很大不同。这就是为什么 worker-src
已添加,为什么不推荐使用 frame-src
(因为您确实希望单独的指令为 iframe
元素),以及为什么不建议使用 child-src
(因为您确实不想对两个 iframe都应用一项策略
元素和辅助脚本)。
The problem with that in practice is: an iframe
is very different than a worker script. So that’s why worker-src
was added and why frame-src
was un-deprecated (because you really do want a separate directive to specify policies for iframe
elements), and why child-src
was deprecated (because you really don’t want to apply one policy to both iframe
elements and worker scripts).
那么在现代(减2版本)中工作的正确指令集是什么?浏览器?
So what's correct collection of directives to work in modern (minus 2 versions) browsers?
答案似乎取决于您究竟要为其指定策略。
It seems like the answer to that depends on what exactly you want to specify a policy for.
- 如果您的需求很简单,因此不想为
iframe
元素和脚本制定不同的策略,则只需使用default-src
为两者指定相同的策略即可。 - 如果您的需求更加复杂并且需要一个策略对于与其他资源策略不同的
iframe
元素,与使用frame-src
的元素不同。同样,如果您想要的脚本策略与其他资源的策略不同,请使用script-src
。 - 如果不想让工作脚本的策略与其他脚本的策略不同,那么您只需提供
script-src
策略,就可以停在那里。 - 如果您要做想要与其他脚本不同的工作脚本策略,则还需要提供
script-src
政策,也提供worker-src
政策。worker-src
不会影响浏览器,但是当浏览器确实增加支持时,它将面向未来。
- If your needs are simple and so you don’t want to have different policies for
iframe
elements and scripts, then just usedefault-src
to specify the same policy for both. - If your needs are more complicated and you want a policy for
iframe
elements that’s different than the policy for other resources, than useframe-src
. Similarly, if you want a policy for scripts that’s different than the policy for other resources, then usescript-src
. - If you don’t want a policy for worker scripts different than the policy for other scripts, then you’re fine just providing a
script-src
policy, and can stop there. - If you do want a policy for worker scripts different than the policy for other scripts, then along with providing a
script-src
policy, provide aworker-src
policy too. Theworker-src
one won’t effect browsers yet, but will future-proof things for when browsers do add support.
PS:弃用物品是否合法?
PS: is it even legal to "undeprecate" stuff?
是的。尽管我不记得曾见过任何其他规范或工作组这样做过,但在这种情况下这是正确的做法-因为CSP规范作者和工作组意识到 child-src
是一个错误, frame-src
实际上是必需的,并且弃用它是一个错误。
Yes. Though I can’t remember ever seeing any other spec or working group do that, it was the right thing to do in this case—because the CSP spec authors and working group realized that child-src
was a mistake, and frame-src
was actually necessary and it was a mistake to deprecate it.
因此他们可以相对迅速地消除那些错误。在这种情况下它起作用的部分原因是: frame-src
的使用时间不够长,浏览器无法放弃对它的支持,并且还有很多Web开发人员从来没有开始使用 child-src
。
So they unwound those mistakes—and relatively quickly. And part of why it worked in this case is: frame-src
wasn’t deprecated long enough for browsers to ever get around to dropping support for it, and also a lot of web developers never got around to using child-src
to begin with.
这篇关于CSP:不建议使用child-src和frame-src的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!