作用:
- 限制资源获取
- 报告资源获取越权
限制方式:
- default-scr限制全局
- 指定资源类型
资源类型:
- connect-src
- img-src
- mainfest-src
- font-src
- style-src
- media-src
- frame-src
- script-src
测试:
servre.js:
const http = require('http')
const fs = require('fs')
http.createServer(function(request, response) {
console.log('request come', request.url)
const html = fs.readFileSync('test.html')
response.writeHead(200, {
'Content-Type': 'text/html',
'Content-Security-Policy': 'default-src http: https:'
})
response.end(html)
}).listen(8888)
console.log('server listening on 8888')
test.html:
<!DOCTYPE html>
<html lang="en">
<head>
<meta charset="UTF-8">
<title>Title</title>
</head>
<body>
<div>This is content</div>
<script>
console.log('inline js')
</script>
</body>
</html>
然后启动服务去访问,会出现如下报错:
然后修改server.js和test.html如下:
const http = require('http')
const fs = require('fs')
http.createServer(function(request, response) {
console.log('request come', request.url)
if(request.url === '/') {
const html = fs.readFileSync('test.html')
response.writeHead(200, {
'Content-Type': 'text/html',
'Content-Security-Policy': 'default-src http: https:'
})
response.end(html)
} else {
response.writeHead(200, {
'Content-Type': 'text/html',
'Content-Type': 'applicationjavascript'
})
response.end('console.log("loaded script")')
}
}).listen(8888)
console.log('server listening on 8888')
<!DOCTYPE html>
<html lang="en">
<head>
<meta charset="UTF-8">
<title>Title</title>
</head>
<body>
<div>This is content</div>
<script>
console.log('inline js')
</script>
<script src="/test.js"></script>
</body>
</html>
然后重启服务会显示如下,说明inline script就被受限制,而loaded script是可以执行的。