Content-security-policy 範例

2022111711:08

CSP
content-security-policy
主要是用於阻擋 Cross-Site Scripting (XSS) 攻擊
可以要求瀏覽器是否允許那些網域的 css/js 可以使用、inline js/css 能否使用


看範例

Yahoo 股市的 CSP

完整
content-security-policy-report-only: connect-src 'self' https://*.yahoo.com https://*.yimg.com https://*.adaptv.advertising.com https://tpc.googlesyndication.com https://edgecast-vod.yahoo.net https://ad.doubleclick.net; default-src 'self' https://*.yahoo.com https://s.yimg.com; font-src 'self' https://*.yahoo.com  https://s.yimg.com; frame-src 'self' https://*.yahoo.com https://s.yimg.com; img-src 'self' data: https:; media-src https://edgecast-vod.yimg.com blob:; script-src 'self' 'unsafe-eval' 'unsafe-inline' https://*.yahoo.com https://s.yimg.com https://consent.cmp.oath.com https://www.gstatic.com https://s.update.wtag.adaptv.advertising.com; style-src 'self' 'unsafe-inline' https://s.yimg.com; worker-src 'self' https://*.yahoo.com blob:; frame-ancestors https://*.yahoo.com https://*.yahoo.net https://*.yahoo.com.tw https://*.yahoo.com.hk https://*.yahoodns.net https://tw.discount.yahoo.net; report-uri https://csp.yahoo.com/beacon/csp?src=td-app-stock
content-security-policy: frame-ancestors https://*.yahoo.com https://*.yahoo.net https://*.yahoo.com.tw https://*.yahoo.com.hk https://*.yahoodns.net https://tw.discount.yahoo.net;

 
content-security-policy:
    frame-ancestors https://*.yahoo.com https://*.yahoo.net https://*.yahoo.com.tw https://*.yahoo.com.hk https://*.yahoodns.net https://tw.discount.yahoo.net;

content-security-policy-report-only:
    default-src 'self' https://*.yahoo.com https://s.yimg.com;
     * self   允許"自己同域名" 可以引用相關檔案(如 script/css/websocket )
     * 僅允許 *.yahoo.com 、s.yimg.com 
        一般只要設定一行 Content-security-policy: default-src 'self' 'unsafe-inline' http://*.網域;
         就可解決大部分的問題,若 script、font、css... 等檔案有各自不同的來源,可額外設定下面細項

    connect-src 'self' https://*.yahoo.com https://*.yimg.com https://*.adaptv.advertising.com ...還有3個網址 略過..;
      * self  允許自己同域名可以連接 websocket 
      * 僅允許相關的網域可連接 websocket

    font-src 'self' https://*.yahoo.com https://s.yimg.com;
      * 允許從那些地方下載字型檔案

    frame-src 'self' https://*.yahoo.com https://s.yimg.com;
      *  允許那些網址可以 iframe。若是 frame-src 'none' 表示禁止 iframe 

    img-src 'self' data: https:;
     *  允許任何 https:// 的網址圖片
     *  data: 指允許顯示 base64 圖片,如 data:image/jpeg;base64,iVBORw0KGgoAAA....

    media-src https://edgecast-vod.yimg.com blob:;
      *  <audio>和<video>可以使的網站來源

    script-src 'self' 'unsafe-eval' 'unsafe-inline' https://*.yahoo.com https://s.yimg.com ...還有3個網址略過..;
       * unsafe-eval  = 允許執行 eval() 函數
       * unsafe-inline  = 允許執行 HTML 內的 <script>...</script>
              例如部落格會開放用戶寫 <script>...</script> 若要允許執行這寫 script,就要加上 unsafe-inline
      * 允許載入 *.yahoo.com + s.yimg.com 的 script

    style-src 'self' 'unsafe-inline' https://s.yimg.com;
      * unsafe-inline = 允許 HTML 內的 css 語法可以作用
      * 允許載入 s.yimg.com 的 css 檔案

    worker-src 'self' https://*.yahoo.com blob:;
      * Web Worker  沒研究過這

    frame-ancestors https://*.yahoo.com https://*.yahoo.net https://*.yahoo.com.tw  ...還有3個網址略過..;
      * 相關 <frame> <iframe> <object> <embed> <applet>

    report-uri https://csp.yahoo.com/beacon/csp?src=td-app-stock
      * 對於違反CSP的,瀏覽器會自動回報到哪個網址


GMail 的 CSP

contContent-security-policy
    script-src https://www.google.com/js/bg/ 'self' 'unsafe-inline' 'unsafe-eval' https://mail.google.com/_/scs/mail-static/ https://*.googleusercontent.com/confidential-mail/attachments/  ...還有幾網址略過..;;
    report-uri https://mail.google.com/mail/cspreport;
    object-src https://mail-attachment.googleusercontent.com/attachment/, script-src 'nonce-CzZGaWr9crvlhKAO2iKRrg' 'unsafe-inline' 'strict-dynamic' https: http: 'unsafe-eval';
    object-src 'none';base-uri 'self';
    report-uri https://mail.google.com/mail/cspreport


    

content-security-policy 與 content-security-policy-report-only 差別
content-security-policy 執行 CSP 相關規則、阻擋非法的檔案、語法
content-security-policy-report-only 僅做 report-uri 通知,不會實際做 CSP 的阻擋動作,適用於驗證自己寫的 CSP 規則是正確後,再貼到 content-security-policy 中
 

 report-uri

瀏覽器會回報 json 資料,格式:
{
  "csp-report": {
    "document-uri": "http://example.com/signup.html",
    "referrer": "",
    "blocked-uri": "http://example.com/css/style.css",
    "violated-directive": "style-src cdn.example.com",
    "original-policy": "default-src 'none'; style-src cdn.example.com; report-uri /_/csp-reports",
    "disposition": "report"
  }
}
參考資料

<?php        
//php 接收CSP report 的寫法:

       $data = json_decode(file_get_contents('php://input'), true);
       var_dump($data);    
        $blocked_uri         = $data["csp-report"]['blocked-uri'];
        $document_uri      = $data["csp-report"]['document-uri'];
        $referrer                = $data["csp-report"]['referrer'];
        $original_policy     = $data["csp-report"]['original-policy'];
        $violated_directive = $data["csp-report"]['violated-directive']; 

?>


https://devco.re/blog/2014/04/08/security-issues-of-http-headers-2-content-security-policy/

https://hackmd.io/@Eotones/BkOX6u5kX

https://ithelp.ithome.com.tw/articles/10223568

https://cloud.tencent.com/developer/chapter/13541