HTTP(十）—— Content-Security-Policy

作用：

• 限制资源获取
• 报告资源获取越权

限制方式：

• default-scr限制全局
• 指定资源类型

资源类型：

• connect-src
• img-src
• mainfest-src
• font-src
• style-src
• media-src
• frame-src
• script-src

测试：

servre.js:

const http = require('http')
const fs = require('fs')
http.createServer(function(request, response) {
    console.log('request come', request.url)
    const html = fs.readFileSync('test.html')
    response.writeHead(200, {
        'Content-Type': 'text/html',
        'Content-Security-Policy': 'default-src http: https:'
    })
     response.end(html)
}).listen(8888)
console.log('server listening on 8888')

test.html:

<!DOCTYPE html>
<html lang="en">
<head>
    <meta charset="UTF-8">
    <title>Title</title>
</head>
<body>
<div>This is content</div>
<script>
    console.log('inline js')
</script>
</body>
</html>

然后启动服务去访问，会出现如下报错：

然后修改server.js和test.html如下：

const http = require('http')
const fs = require('fs')
http.createServer(function(request, response) {
    console.log('request come', request.url)
    if(request.url === '/') {
        const html = fs.readFileSync('test.html')
        response.writeHead(200, {
            'Content-Type': 'text/html',
            'Content-Security-Policy': 'default-src http: https:'
        })
        response.end(html)
    } else {
        response.writeHead(200, {
            'Content-Type': 'text/html',
            'Content-Type': 'applicationjavascript'
        })
        response.end('console.log("loaded script")')
    }
}).listen(8888)
console.log('server listening on 8888')

<!DOCTYPE html>
<html lang="en">
<head>
    <meta charset="UTF-8">
    <title>Title</title>
</head>
<body>
<div>This is content</div>
<script>
    console.log('inline js')
</script>
<script src="/test.js"></script>
</body>
</html>

然后重启服务会显示如下，说明inline script就被受限制，而loaded script是可以执行的。

扫描二维码关注公众号，回复： 2941165 查看本文章