Open zhanhongtao opened 7 years ago
'self'
https://sogou.com/
'none'
'unsafe-inline'
'unsafe-eval'
注意使用引号, 否则会被认为是普通 HOST
Content-Security-Policy
<meta http-equiv="Content-Security-Policy" content="script-src 'self'">
*
default-src
*-src
script-src: https://sogou.com/; script-src: https://google.com/
script-src: https://sogou.com https://google.com/
Directives
'self'
https://sogou.com/
Keywords
'none'
- 禁止任何资源'self'
- 只允许当前域名 - 子域名也不行'unsafe-inline'
- 允许行内代码(SCRIPT/STYLE)'unsafe-eval'
- 允许求值(eval/new Function/setTimeout/...)注意使用引号, 否则会被认为是普通 HOST
header、meta
Content-Security-Policy
<meta http-equiv="Content-Security-Policy" content="script-src 'self'">
Other
*
,允许从任意服务器上加载资源(script)并且执行default-src
指令做*-src
形式指令的默认值script-src: https://sogou.com/; script-src: https://google.com/
- 存在相同指令script-src: https://sogou.com https://google.com/
- 单个指令,多个值参考