Content-Security-Policy 元标记允许您定义可以从何处加载资源，从而防止浏览器从从任何其他位置加载数据.这使攻击者更难将恶意代码注入您的网站.

The Content-Security-Policy meta-tag allows you to reduce the risk of XSS attacks by allowing you to define where resources can be loaded from, preventing browsers from loading data from any other locations. This makes it harder for an attacker to inject malicious code into your site.

表示 content="default-src 'self'" 的示例意味着:

Sample that says content="default-src 'self'" means this:

<meta http-equiv="Content-Security-Policy" content="default-src 'self'">

1. 如何允许多个来源?

您可以简单地在指令后以空格分隔列表的形式列出您的来源:

You can simply list your sources after a directive as a space separated list:

content="default-src 'self' https://example.com/js/"

请注意，除了特殊参数(如self")之外，参数周围没有引号.此外，指令后没有冒号 (:).只是指令，然后是空格分隔的参数列表.

Note that there are no quotes around parameters other than the special ones, like 'self'. Also, there's no colon (:) after the directive. Just the directive, then a space-separated list of parameters.