允许所有内容安全策略？ [英] Allow All Content Security Policy?

问题描述

是否可以将内容安全策略配置为完全不阻止任何内容？我正在运行计算机安全类，并且我们的网络黑客项目在较新版本的Chrome上遇到问题，因为没有任何CSP标头，它将自动阻止某些XSS攻击。

Is it possible to configure the Content-Security-Policy to not block anything at all? I'm running a computer security class, and our web hacking project is running into issues on newer versions of Chrome because without any CSP headers, it's automatically blocking certain XSS attacks.

推荐答案

对于仍希望获得更宽松的帖子的人，因为其他答案还不够宽松，并且它们必须与 *的谷歌浏览器一起使用还不够：

For people who still want an even more permissive posts, because the other answers were just not permissive enough, and they must work with google chrome for which * is just not enough:

default-src *  data: blob: filesystem: about: ws: wss: 'unsafe-inline' 'unsafe-eval' 'unsafe-dynamic'; 
script-src * data: blob: 'unsafe-inline' 'unsafe-eval'; 
connect-src * data: blob: 'unsafe-inline'; 
img-src * data: blob: 'unsafe-inline'; 
frame-src * data: blob: ; 
style-src * data: blob: 'unsafe-inline';
font-src * data: blob: 'unsafe-inline';

这篇关于允许所有内容安全策略？的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！