Content Security Policy: The page's settings b

2019-02-21 10:48发布

问题:

I have Java-based based web application running on Tomcat 6. My application is running on localhost and port 9001.

To make my application more secure and to reduce the risk of XSS attacks, I added the header Content-Security-Policy with value default-src * 'unsafe-inline' 'unsafe-eval';script-src 'self'. With this I want to allow the web application to load the JavaScript files from same domain.

For other resources it continues to load in the same fashion as it was without this header.

But I am getting the below error.

Content Security Policy: The page's settings blocked the loading of a resource at self ("script-src http://localhost:9001").

回答1:

The Content Security Policy header is a white list of trusted sources.

The default-src list is the list used by all other *-src lists. If it is not present, the default is default-src: * which means "all content is allowed from anywhere", which does not provide any protection against XSS.

Therefore, you should start with

  • default-src none, so that all content is disallowed, or
  • default-src 'self', so that only content from your domain is allowed.

After that, other *-src can be replaced as needed. For example, the following trusts self for everything except images, and images are only allowed from example.com (but not from 'self'):

default-src 'self'; img-src example.com;

In your question, you specify default-src * 'unsafe-inline' 'unsafe-eval'; which might be causing the issue since * already implies 'unsafe-inline' and 'unsafe-eval'. It's like saying "allow everything and allow inline and allow eval".

Also note that CSP is supported via the X-Content-Security-Header in IE >= 8.

Sources:

  • http://content-security-policy.com/
  • http://www.w3.org/TR/CSP/
  • http://caniuse.com/#feat=contentsecuritypolicy


回答2:

Try:

default-src * 'unsafe-inline' 'unsafe-eval';script-src 'self' 'unsafe-inline' 'unsafe-eval'