Content Security Policy (CSP)_A good assistant to defend against XSS attacks

Read the full text http://click.aliyun.com/m/22994/
What is CSP?
The core idea is very simple: the website tells the browser what is authorized to execute and what needs to be prohibited by sending a CSP header of.

Here's a PHP example:

<?php
header("Content-Security-Policy: <your directives>");
?>
Some directives
You can define some global rules or some rules that refer to a certain class of resources:

default-src 'self' ;
# self = same port, same domain name, same protocol => allowed The
basic parameter is default-src: if no instruction rule is set for a certain type of resource, the browser will use this default parameter value.

script-src 'self' www.google-analytics.com ;
# JS files from these domains => allow
In this example, we have authorized the JavaScript files from the domain www.google-analytics.com to use our on the website. We also added the 'self' keyword; if we reset other rule directives via script-src, it would override the default-src rule.

If no scheme or port is specified, it will force the selection of the same protocol or port as the current page. This prevents mixed content. If the page is https://example.com, then you won't be able to load http://www.google-analytics.com/file.js because it's already banned (protocol mismatch). However, there is one exception where protocol enhancements are allowed. If http://example.com tries to load https://www.google-analytics.com/file.js, then the protocol or port is allowed to be changed for protocol elevation.

style-src 'self' data: ;
# Data-Uri Embed CSS => Allow
In this example, the keyword data: authorizes data embedding in CSS files.

Under the CSP 1 specification, you can also set the following rules:

img-src Valid image source
connect-src Applied to XMLHttpRequest (AJAX), WebSocket or EventSource
font-src Valid font source
object-src Valid plugin source (eg, <object>, <embed>, <applet>)
media-src Valid <audio> and <video> sources The
CSP 2 specification contains the following rules:

child-src Valid source for web workers and elements such as <frame> and <iframe> (this directive replaces the deprecated frame-src directive in CSP 1)
form-action can be a valid source for HTML <form> actions
The frame-ancestors
command the user-agent to rewrite the URL protocol, changing HTTP to HTTPS (for Handy for some sites that need to rewrite a lot of stale URLs).
For better backward compatibility with some deprecated properties, you can simply copy the contents of the current directive and create an identical copy for that deprecated directive. For example, you can copy the contents of child-src and add an identical copy to frame-src.

CSP 2 allows you to add paths to the whitelist (CSP 1 only allows domains to be added to the whitelist). So instead of adding the entire www.foo.com domain to the whitelist, you can make more restrictions by adding a path like www.foo.com/some/folder to the whitelist. This requires CSP 2 support in the browser, but it is significantly more secure.
Read the full text http://click.aliyun.com/m/22994/