如何使用元标记放宽内容安全策略 [英] How to relax Content Security Policy with meta tag
问题描述
我正在尝试使用某些页面的特定元标记来覆盖内容安全策略.
I'm trying to override the Content Security Policy using a specific meta tag for some pages.
我已经尝试了几个小时,但是我还没有成功.
I've been trying for a couple of hours, but I've not succeed yet.
是否有一种方法可以从页面本身(使用JavaScript或元标记)覆盖CSP,而无需修改服务器配置?
Is there a way to override CSP from the page itself (using JavaScript or meta tags) without having to modify the server configuration?
谢谢.
推荐答案
否.
出于安全原因,元标记只能使策略更加严格,而不能放松标头中定义的策略.
For security reasons the meta tag can only make the policy more strict, not to relax the policy defined in the headers.
如果meta标签可以放宽政策,则CSP将无所适从.任何恶意方都可以添加元标记来禁用该策略,并避免应有的所有限制.
If the meta tag could relax the policy, CSP would have no teeth. Any malicious party could just add a meta tag to disable the policy and avoid all of the restrictions that should be in place.
这篇关于如何使用元标记放宽内容安全策略的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!