Skip to content

Instantly share code, notes, and snippets.

@xgqfrms-GitHub

xgqfrms-GitHub/CSP.md Secret

Last active June 6, 2017 05:09
Show Gist options
  • Save xgqfrms-GitHub/ecf7733d066d56723b00de41a849037a to your computer and use it in GitHub Desktop.
Save xgqfrms-GitHub/ecf7733d066d56723b00de41a849037a to your computer and use it in GitHub Desktop.
Download ZIP
CSP 内容安全策略
Raw
CSP.md

CSP 内容安全策略

https://developers.google.com/web/fundamentals/security/csp/

CSP 基于白名单来源,因为此方法可明确指示浏览器将特定的资源集视为可接受的资源,并拒绝其余资源。

https://developers.google.com/web/fundamentals/security/csp/

TL;DR

  • 使用白名单告诉客户端允许加载和不允许加载的内容。
  • 了解可使用哪些指令。
  • 了解这些指令接受哪些关键字。
  • 内联代码和 eval() 被视为是有害的。
  • 向服务器举报政策违规行为,以免执行这些行为。
    
<meta http-equiv="Content-Security-Policy" 
content="default-src https://cdn.example.net; child-src 'none'; object-src 'none'" />

https://github.com/xgqfrms-GitHub/webgeeker/blob/gh-pages/CSP/readme.md

@xgqfrms-GitHub
Copy link
Author

CORS & CSP

Fetch API get json data

https://gist.github.com/xgqfrms-GitHub/840fe27cecb9e7217fb4f0b09db19406

CSP & CORS

document.readyState & DOMContentLoaded

https://gist.github.com/xgqfrms-GitHub/b0da64ef34e0ba8072de09599aeb4cbf

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment