Baseline Widely available *
HTTP Content-Security-Policy (CSP) script-src ë JavaScriptì ëí ê²ì¦ë ì¶ì²ë¥¼ ì§ì í©ëë¤. ì¬ê¸°ìë <script> ìììì ì§ì í¸ì¶í URLë¿ë§ ìëë¼, ì¸ë¼ì¸ ì¤í¬ë¦½í¸ ì´ë²¤í¸ í¸ë¤ë¬(onclick) ë° ì¤í¬ë¦½í¸ë¥¼ ì¤íí ì ìë XSLT stylesheets ê° í¬í¨ë©ëë¤.
default-src fallback Yes. If this directive is absent, the user agent will look for the default-src directive. Syntax
íë ì´ìì ì¶ì²ê° script-src ì ì±
ì ìí´ì íì©ë ì ììµëë¤:
Content-Security-Policy: script-src <source>; Content-Security-Policy: script-src <source> <source>;Sources
<source> can be any one of the values listed in CSP Source Values.
Note that this same set of values can be used in all fetch directives (and a number of other directives).
ìì Violation case주ì´ì§ CSP í¤ë:
Content-Security-Policy: script-src https://example.com/
ìë ì¤í¬ë¦½í¸ê° ì°¨ë¨ëì´ì ë¡ë ëë ì¤íëì§ ììµëë¤:
<script src="https://not-example.com/js/library.js"></script>
ì¸ë¼ì¸ ì¤í¬ë¦½í¸ë ì¤íëì§ ììµëë¤:
<button id="btn" onclick="doSomething()"></button>
addEventListener를 í¸ì¶íë ê²ì¼ë¡ ëì²´í´ì¼ í©ëë¤.:
document.getElementById("btn").addEventListener("click", doSomething);
ì°¸ê³ : ì¸ë¼ì¸ ì¤íì¼ ë° ì¸ë¼ì¸ ì¤í¬ë¦½í¸ë¥¼ íì©íì§ ìë ê²ì´ CSPê° ì ê³µíë ê°ì¥ í° ë³´ì ì´ì ì¤ íë ì ëë¤. ê·¸ë¬ë, ì¸ë¼ì¸ ì¤í¬ë¦½í¸ ë° ì¤íì¼ì ì¬ì©í´ì¼ë§ íë¤ë©´ ëªê°ì§ ë°©ë²ì ì ê³µí©ëë¤.
ì¸ë¼ì¸ ì¤í¬ë¦½í¸ ë° ì¸ë¼ì¸ ì´ë²¤í¸ í¸ë¤ë¬ë¥¼ íì©íë ¤ë©´, 'unsafe-inline', ì¸ë¼ì¸ íê·¸ì ì ìí ê°ê³¼ ëì¼í nonce-source ëë hash-source를 ì§ì í ì ììµëë¤.
Content-Security-Policy: script-src 'unsafe-inline';
ìì CSPë <script> í그를 íì©í©ëë¤
<script>
var inline = 1;
</script>
nonce-source를 ì¬ì©íë©´ í¹ì ì¸ë¼ì¸ ì¤í¬ë¦½í¸ íê·¸ë§ íì© í ì ììµëë¤:
Content-Security-Policy: script-src 'nonce-2726c7f26c'
<script> íê·¸ì ëì¼í nonce를 ì¤ì í´ì¼ í©ëë¤ :
<script nonce="2726c7f26c">
var inline = 1;
</script>
ëë, ì¸ë¼ì¸ ì¤í¬ë¦½í¸ìì í´ì를 ì¤ì í ì ë ììµëë¤. CSPë sha256, sha384 and sha512를 ì§ìí©ëë¤.
Content-Security-Policy: script-src 'sha256-B2yPHKaXnvFWtRChIbabYmUBFZdVfKKXHbWtWidDVF8='
í´ì를 ìì±í ëìë <script> í그를 í¬í¨íì§ ë§ê³ , ëì문ì, íê·¸ì ìë¤ ê³µë°±ì´ í¬í¨ëì´ì¼ íë ê²ì ì ìí´ì£¼ììì.
<script>
var inline = 1;
</script>
'unsafe-eval' ì¶ì² ííìì 문ìì´ìì ì½ë를 ìì±íë ì¬ë¬ ì¤í¬ë¦½í¸ ì¤í ë©ìë를 ì ì´í©ëë¤. ë§ì½'unsafe-eval' ì´ script-src ì ì ìëì´ ìì§ ìì¼ë©´, ìëë¯ ëª
ë ¹ì´ë ì°¨ë¨ëë©° ìë¬´ë° í¨ê³¼ê° ì¼ì´ëì§ ììµëë¤.
ìëì ê°ì´ 문ìì´ ë¦¬í°ë´ì ì ë¬í ë : window.setTimeout("alert(\"Hello World!\");", 500);
window.execScript ë¹íì¤ (IE < 11 only)
strict-dynamic
The 'strict-dynamic' source expression specifies that the trust explicitly given to a script present in the markup, by accompanying it with a nonce or a hash, shall be propagated to all the scripts loaded by that root script. At the same time, any whitelist or source expressions such as 'self' or 'unsafe-inline' will be ignored. For example, a policy such as script-src 'strict-dynamic' 'nonce-R4nd0m' https://whitelisted.com/ would allow loading of a root script with <script nonce="R4nd0m" src="https://example.com/loader.js"> and propogate that trust to any script loaded by loader.js, but disallow loading scripts from https://whitelisted.com/ unless accompanied by a nonce or loaded from a trusted script.
script-src 'strict-dynamic' 'nonce-someNonce'
Or:
script-src 'strict-dynamic' 'sha256-base64EncodedHash'
It is possible to deploy strict-dynamic in a backwards compatible way, without requiring user-agent sniffing. The policy:
script-src 'unsafe-inline' https: 'nonce-abcdefg' 'strict-dynamic'
will act like'unsafe-inline' https: in browsers that support CSP1, https: 'nonce-abcdefg' in browsers that support CSP2, and 'nonce-abcdefg' 'strict-dynamic' in browsers that support CSP3.
RetroSearch is an open source project built by @garambo | Open a GitHub Issue
Search and Browse the WWW like it's 1997 | Search results from DuckDuckGo
HTML:
3.2
| Encoding:
UTF-8
| Version:
0.7.4