CSP - Content Security Policy
Aus Wikizone
Version vom 28. Februar 2022, 14:34 Uhr von 134.3.74.15 (Diskussion)
Einführung
CSP sind Metainformationen, die dem Browser vorgeben aus welchen Quellen die aktuelle Seite Skripte, Bilder etc. beziehen darf. Dadurch wird der Benutzer besser gegen CrossSiteScripting geschützt.
https://www.youtube.com/watch?v=1-sx4AmjGCI
<meta http-equiv="Content-Security-Policy"
content="default-src 'self' data: gap: 'unsafe-eval' ws: ;
style-src 'self' 'unsafe-inline';
script-src https: *.example.com ;
media-src 'none';
font-src *;
connect-src *;
img-src 'self' data: content:;">
<!--
Also
base-uri /abc/; - limit to content in this folder v2
form-action ; - limit where forms can be sent v2
VALUES
'self' - anything from the same origin
data: - data-uri (base64 images)
gap: - phonegap and cordova used by plugins on iOS
ws: - web sockets
* - anything except data: and blobs
filesystem: - access things on the local filesystem
blob: - allow Binary Large OBjects
mediastream: - allow streamed media
content: - used by Cordova
'none' - prevent anything in the category
https: - anything over https://
*.example.com - anything from any subdomain of example.com
'unsafe-inline' - inline source elements like style attribute, onclick, or script tags
'unsafe-eval' - allow javascript eval( ).
-->
