如何在 Firefox 和其他浏览器中使用 frame-src 和 child-src? [英] How to use frame-src and child-src in Firefox and other browsers?
问题描述
关于内容安全策略指令的 MDN 页面声明了 frame-src已弃用,应使用 child-src.但是,当我尝试使用 child-src 时,Firefox 37 会给出以下错误消息
内容安全策略:无法处理未知指令child-src"<unknown>这种明显缺乏支持的情况没有记录在案(据我所知),这令人沮丧.有没有记录浏览器支持的地方?
目前,除了 child-src 之外,我还在使用 frame-src,这似乎有效.但是我现在想知道两者之间是否有任何潜在的冲突.大概 frame-src 会被支持 child-src 的浏览器忽略?能保证吗?
更新: 2017 年 1 月:
停止使用 child-src 并重新开始使用 frame-src.
为了制造更多的混乱,CSP 级别 3 取消了 frame-src 并实际上重新指定它作为实现这一目标的首选方式.虽然仍然支持 child-src,但再次首选 frame-src.
旧帖子
frame-src 已 已弃用,但它最近才在 CSP 级别 2 中使用,并非所有浏览器都达到该规范的最新版本.>
目前实现最大浏览器兼容性的最佳方法是包含具有相同值的 child-src 和 frame-src.仅支持原始 CSP 规范的浏览器将使用 frame-src,而较新的浏览器将使用 child-src.
该开发者控制台警告没有任何意义,只是提供信息.我建议你暂时忽略它,因为一年后你很可能会看到有人说 frame-src 已被弃用.
此时,我确保在需要时使用两者,并打算在 2017 年 1 月停止提供 frame-src.
CSP 2 级支持:
The MDN page on Content Security Policy directives states the frame-src is deprecated and child-src should be used. However, Firefox 37 gives the following error message when I attempt to use child-src
Content Security Policy: Couldn't process unknown directive 'child-src' <unknown>
This apparent lack of support isn't documented (as far as I could tell) which is frustrating. Is there any place browser support is documented?
Currently I'm using frame-src in addition to child-src, which appears to work. However I'm now wondering if there is any potential for conflict between the two. Presumably frame-src will be ignored by browsers that support child-src? Is that guaranteed?
Update: Jan 2017:
Stop using child-src and begin using frame-src again.
In an effort to create even more confusion, CSP Level 3 has undeprecated frame-src and actually re-appointed it as the preferred way to achieve this. While child-src is still supported frame-src is once again preferred.
Old post
frame-src is deprecated, but it was only recently made so in CSP Level 2 and not all browsers are up to the latest version of the spec.
The best approach at the moment for maximum browser compatibility is to include both child-src and frame-src with identical values. Browsers that only support the original CSP specification will use frame-src while newer ones will use child-src.
That developer console warning is of no consequence and merely informational. I would suggest you ignore it for now, because a year from now you may very well see one saying that frame-src is deprecated.
At this time, I ensure both are used when this is needed and intend to stop providing frame-src in January of 2017.
CSP Level 2 support:
这篇关于如何在 Firefox 和其他浏览器中使用 frame-src 和 child-src?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
