您是对的，像这样保留CSP可能会使攻击者更容易进行操作.使用CSP的主要思想是按照这里.

You're right, leaving your CSP like this might make things easier for an attacker. The main idea behind using a CSP is url whitelisting as described here.

通过使用*通配符将所有内容列入白名单，可以使攻击者一旦能够将代码注入到您的应用程序中，就可以从任何地方加载代码(并执行).查看有关此内容的链接文章，它比我在这里写的要好得多；)

By whitelisting everything with the * wildcard you allow an attacker to load code (and execute) from everywhere once he is able to inject code into your application. Check out the linked article on this, it's a lot better than what I'm writing here ;)

那么正确的方法是什么?

So what's the right way to do this?

1. 找出要列入白名单的域以及哪种

1. Find out what domains you want to whitelist and what kind of resources this domain provides.
2. Get rid of the wildcard and whitelist exactly those domains for exactly those resources you need. Let's, for example, take a look at your stylesheets from GitHub. You will have to add GitHub as a trustworthy domain for styles somewhat like this: style-src 'self' https://github.com 'unsafe-inline';

注意:default-src策略要小心，因为它会覆盖其他策略.而将图像列入白名单时，您可能必须添加data:关键字，如下所示:img-src 'self' http://somedomain.com data:;

Note: Be careful with the default-src policy as it overrides the other policies. And when it comes to whitelisting images, you might have to add the data: keyword like so: img-src 'self' http://somedomain.com data:;

Mozilla的文档如果您愿意正在寻找所有政策和关键字的概述...

Mozilla's documentation is quite good if you're looking for an overview of all the policies and keywords...