Some test cases about Web Content-Security-Policy Directive specified by meta element

头像
注销
    阅读 3 分钟
    中文
    头图

    A Content Security Policy is a policy that uses header or meta elements to restrict or approve content loaded on a given website. This is a widely supported security standard that all website operators should be aware of.

    Using a CSP adds a layer of protection to a Web site by stating which rules are allowed or not allowed. These rules help protect against content injection and cross-site scripting (XSS) attacks, two of OWASP's top ten web application security risks.

    An XSS attack occurs when an attacker is able to compromise an unprotected website by injecting malicious code. When the user attempts to interact with the site, the malicious script is executed in the user's browser, giving the attacker access to the victim's interaction with the site, such as login information, etc.

    CSP will prevent most script injection attacks from happening because it can be set to restrict JavaScript to be loaded only from trusted locations.

    This article introduces some test cases based on frame-src this Directive.
    As a container, define the web application of the iframe, listening on port 3000: under the wechat folder

    Embed another web page, listening on port 3002, under the Jerrylist folder:

    If no csp-related Directives (via meta tags) are declared in the csp html under the Jerrylist folder, the iframe works fine:

    Test 1: 3000 applications (ie, web applications embedded in 3002 applications) add frame-src

    Source code:

     <html>
    <head>
        <meta http-equiv="Content-Security-Policy" content="frame-src 'self'">
    </head>
    <h1>Parent</h1>
    <iframe src="http://localhost:3002/csp"></iframe>
</html>

    Test Results:

    Refused to frame ' http://localhost:3002/ ' because it violates the following Content Security Policy directive: "frame-src 'self'".

    iframe failed to load:

    Test 2 

     <html>
    <head>
        <meta http-equiv="Content-Security-Policy" content="frame-src 'http://localhost:3002'">
    </head>
    <h1>Parent</h1>
    <iframe src="http://localhost:3002/csp"></iframe>
</html>

    wrong information:

    The source list for the Content Security Policy directive 'frame-src' contains an invalid source: '' http://localhost:3002 ''. It will be ignored.
    11:25:37.549 localhost/:6 Refused to frame ' http://localhost:3002/ ' because it violates the following Content Security Policy directive: "frame-src 'none'".

    iframe failed to load:

    If you change it to * , it works again:

    The following code also works: 

     <html>
    <head>
        <meta http-equiv="Content-Security-Policy" content="frame-src http://localhost:3002/csp">
    </head>
    <h1>Parent</h1>
    <iframe src="http://localhost:3002/csp"></iframe>
</html>

    The following code also works:

     <html>
    <head>
        <meta http-equiv="Content-Security-Policy" content="frame-src http://localhost:*/csp">
    </head>
    <h1>Parent</h1>
    <iframe src="http://localhost:3002/csp"></iframe>
</html>

    The following code also works:

    Microsoft前端javascripthtml5bootstraptypescript
    注销
    1k 声望1.6k 粉丝

    invalid

    « 上一篇
    通过一个具体的例子,讲解 SAP Cloud Platform Integration(CPI) 的使用方法
    下一篇 »
    SAP Spartacus 的 TMS 和 Event Service 实现的关联关系

    引用和评论

    推荐阅读
    头像
    什么是 Up front design

    注销阅读 406

    头像
    网页设计的垂直居中

    寒青41阅读 5.2k评论 3

    头像
    CSS团队协作规范

    寒青38阅读 7.4k

    头像
    前端如何入门 Go 语言

    robin28阅读 8.3k评论 9

    头像
    100个React最佳实践小技巧

    夕水25阅读 6.5k评论 4

    头像
    前端开发工具

    寒青19阅读 5.2k

    头像
    开发插件集合

    寒青14阅读 3.5k

    0 条评论
    得票最新