更新时间:2022-03-21 22:54:58
您是对的,像这样保留CSP可能会使攻击者更容易进行操作.使用CSP的主要思想是按照这里.
You're right, leaving your CSP like this might make things easier for an attacker. The main idea behind using a CSP is url whitelisting as described here.
通过使用*
通配符将所有内容列入白名单,可以使攻击者一旦能够将代码注入到您的应用程序中,就可以从任何地方加载代码(并执行).查看有关此内容的链接文章,它比我在这里写的要好得多;)
By whitelisting everything with the *
wildcard you allow an attacker to load code (and execute) from everywhere once he is able to inject code into your application. Check out the linked article on this, it's a lot better than what I'm writing here ;)
那么正确的方法是什么?
So what's the right way to do this?
style-src 'self' https://github.com 'unsafe-inline';
注意:default-src
策略要小心,因为它会覆盖其他策略.而将图像列入白名单时,您可能必须添加data:
关键字,如下所示:img-src 'self' http://somedomain.com data:;
Note: Be careful with the default-src
policy as it overrides the other policies. And when it comes to whitelisting images, you might have to add the data:
keyword like so: img-src 'self' http://somedomain.com data:;
Mozilla的文档如果您愿意正在寻找所有政策和关键字的概述...
Mozilla's documentation is quite good if you're looking for an overview of all the policies and keywords...