内容安全策略：该页面的设置阻止了自我加载资源？ [英] Content Security Policy: The page's settings blocked the loading of a resource at self?

问题描述

我在 Tomcat 上运行基于Java的Web应用程序6.我的应用程序正在运行本地主机和端口9001。

为了使我的应用程序更安全并降低 XSS 攻击，我添加了头< Content-Security-Policy ，其值 default-src *'unsafe-内联不安全评估; script-src自我。有了这个，我想允许Web应用程序加载来自同一个域的JavaScript文件。

对于其他资源，它继续以与没有此标题相同的方式加载。

但是我收到了以下错误消息。

 内容安全性策略：该页面的设置阻止了自我加载资源（script-src http：// localhost：9001）。 
  

解决方案

内容安全策略标头是一个白色的可信任列表来源。

$ b

default-src 列表是所有其他 *使用的列表 - src 列表。如果它不存在，则默认值为 default-src：* ，这意味着所有内容都可以从任何地方访问，它不提供任何针对XSS的保护。

因此，您应该从

• default -src none ，这样所有的内容都是不允许的，或者
  
• default-src'self'，以便只允许来自您的域的内容。

之后，可以根据需要替换其他 * - src 。例如，以下内容相信自己除了图片以外的所有内容，并且图片只允许来自example.com（但不能来自'self'）：

  default-src'self'; img-src example.com; 
  

在你的问题中，你指定 default-src *'unsafe-inline' 'unsafe-eval'; 这可能导致问题，因为 * 已经暗示'unsafe-inline'和'unsafe-eval'。这就像是说允许所有内容并允许内联并允许eval。

还要注意，通过 X-Content-Security-Header支持CSP













$ b $

http://content-security-policy.com/

http://www.w3.org/TR/CSP/

http://caniuse.com/#feat=contentsecuritypolicy li>

I have Java-based based web application running on Tomcat 6. My application is running on localhost and port 9001.

To make my application more secure and to reduce the risk of XSS attacks, I added the header Content-Security-Policy with value default-src * 'unsafe-inline' 'unsafe-eval';script-src 'self'. With this I want to allow the web application to load the JavaScript files from same domain.

For other resources it continues to load in the same fashion as it was without this header.

But I am getting the below error.

Content Security Policy: The page's settings blocked the loading of a resource at self ("script-src http://localhost:9001").

解决方案

The Content Security Policy header is a white list of trusted sources.

The default-src list is the list used by all other *-src lists. If it is not present, the default is default-src: * which means "all content is allowed from anywhere", which does not provide any protection against XSS.

Therefore, you should start with

• default-src none, so that all content is disallowed, or
• default-src 'self', so that only content from your domain is allowed.

After that, other *-src can be replaced as needed. For example, the following trusts self for everything except images, and images are only allowed from example.com (but not from 'self'):

default-src 'self'; img-src example.com;

In your question, you specify default-src * 'unsafe-inline' 'unsafe-eval'; which might be causing the issue since * already implies 'unsafe-inline' and 'unsafe-eval'. It's like saying "allow everything and allow inline and allow eval".

Also note that CSP is supported via the X-Content-Security-Header in IE >= 8.

Sources:

• http://content-security-policy.com/
• http://www.w3.org/TR/CSP/
• http://caniuse.com/#feat=contentsecuritypolicy

这篇关于内容安全策略：该页面的设置阻止了自我加载资源？的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！