{var%20f='http://v.t.sina.com.cn/share/share.php?appkey=1515056452',u=z||d.location,p=['&url=',e(u),'&title=',e(t||d.title),'&source=',e(r),'&sourceUrl=',e(l),'&content=',c||'gb2312','&pic=',e(p||'')].join('');function%20a(){if(!window.open([f,p].join(''),'mb',['toolbar=0,status=0,resizable=1,width=440,height=430,left=',(s.width-440)/2,',top=',(s.height-430)/2].join('')))u.href=[f,p].join('');};if(/Firefox/.test(navigator.userAgent))setTimeout(a,0);else%20a();})(screen,document,encodeURIComponent,'','','https://www.manongdao.com/data/attach/logo/logo.png', '推荐 Lonely孤独者° 的问题《Does Content Security Policy's connect-src dir》','https://www.manongdao.com/q-622914.html','页面编码gb2312|utf-8默认gb2312'));){kind=link}
Does specifying a connect-src directive in your content security policy relax the browser's same origin policy and allow you to make cross origin XHR requests? Or is this directive only used to limit already legal XHR (i.e. same origin calls or calls enabled by CORS)?
相关问题
- “Zero out” sensitive String data in Swift
- High cost encryption but less cost decryption
- How to restrict VOB read access in ClearCase (Wind
- Is it appropriate to secure/hide Swagger/OpenAPI S
- java 11 HttpClient leads to endless SSL loop even
相关文章
- Warning : HTML 1300 Navigation occured?
- Security concerns about CORS
- How do I prevent SQL injection with ColdFusion
- LINQ to Entities and SQL Injection
- How to use Google application-specific password in
- Will re-populating a password field in a form be a
- AWS - Configuring access to EC2 instance from Bean
- Shiro complaining “There is no session with id xxx
The
connect-srcdirective does not relax the same-origin policy; it simply specifies a list of source to which you can connect, assuming that the browser will already allow you to connect to them (via CORS, for instance).In general, Content Security Policy is an annotation that you as an author can use to limit the capabilities of your pages. It does not grant new privileges, but only removes them.