内容安全策略（CSP）标头：在每个文件上还是仅在实际的HTML页面上？ [英] Content Security Policy (CSP) Header: Onto each file or only the actual HTML pages?

问题描述

我当前正在向我们的应用程序添加内容安全策略（CSP）标头。我想知道标头必须附加到哪些文件上。经过一番研究，我没有找到明确的答案。

I'm currently adding the Content Security Policy (CSP) header to our application. I'm wondering onto which files the header must be attached to. After some research, I did not find a clear answer to it.

Twitter，例如仅将其添加到实际的HTML文档中。但是，Facebook将它添加到几乎所有资源和HTML文档（HTML，JS，CSS等）中。

Twitter, e.g. only added it to the actual HTML document. Facebook, however, added it to almost every resource and the HTML document (HTML, JS, CSS, etc.).

因此，有必要添加内容安全性每个提供的资源文件或仅HTML文档的策略标头？它如何处理Ajax（JSON内容）请求？它如何与SPA（仅 index.html 文件或所有资源）一起使用？如果不想从安全角度考虑，我不想通过在每个文件中添加较长的CSP标头来减慢页面速度。

So, is it necessary to add the Content Security Policy header to each served resource file or only to the HTML document? How does it work with Ajax (JSON content) requests? How does it work with SPAs (only the index.html file or all resources)? I don't want to slow down the page by adding long CSP headers to each file if it is not necessary from a security point of view.

编辑：

要澄清一下：浏览器在附加了CSP标头后是否会以不同的方式对待图像或其他非文档资源？

To clarify: Do browser treat images or other non-document resources differently when they come with a CSP header attached?

推荐答案

我的问题的正确答案为另一个答案，类似
的问题。它指的是明确指出该策略的CSP规范，该策略仅影响创建新的执行上下文的资源。这意味着没有必要将CSP添加到REST API响应中。请参考正确答案，或直接参考，其中还包括一个表格，说明如何处理不同的资源（例如脚本，图像等）。

The correct answer to my question was given as an answer to another, similar question. It refers to the CSP specification which clearly states, that the policy only affects resources which create a new "execution context". This means, it is not necessary to add the CSP to REST API responses. Please refer to the correct answer or directly to the specification of W3 which also includes a table of how different resources are handled (e.g. scripts, images, etc.).

这篇关于内容安全策略（CSP）标头：在每个文件上还是仅在实际的HTML页面上？的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！