Ember / JavaScript 的动态内容安全策略
Dynamic content security policy with Ember / JavaScript
我们有一个 Ember-based 站点,该站点分为两个概念部分,这两个部分需要自己的内容安全策略。目前只有一个 CSP 应用于 index.html。
在 API/server 响应 页面加载后发送的 Content-Security-Policy header 是否可能被浏览器接受?我试图在 API 响应中发送此 header,但它似乎不被 Chrome 接受。
由于 CSP 规范(2 级,2016 年 12 月 15 日),这应该是不可能的:
3.5. Policy applicability
This section is not normative.
Policies are associated with an protected resource, and enforced or monitored for that resource. If a resource does not create a new execution context (for example, when including a script, image, or stylesheet into a document), then any policies delivered with that resource are discarded without effect. Its execution is subject to the policy or policies of the including context.
来源:https://www.w3.org/TR/CSP2/#which-policy-applies
更改作为 HTML 元元素提供的 CSP 也不应该:
3.3. HTML meta Element
[...]
Note: Modifications to the content attribute of a meta element after the element has been parsed will be ignored.
我们有一个 Ember-based 站点,该站点分为两个概念部分,这两个部分需要自己的内容安全策略。目前只有一个 CSP 应用于 index.html。
在 API/server 响应 页面加载后发送的 Content-Security-Policy header 是否可能被浏览器接受?我试图在 API 响应中发送此 header,但它似乎不被 Chrome 接受。
由于 CSP 规范(2 级,2016 年 12 月 15 日),这应该是不可能的:
3.5. Policy applicability
This section is not normative.
Policies are associated with an protected resource, and enforced or monitored for that resource. If a resource does not create a new execution context (for example, when including a script, image, or stylesheet into a document), then any policies delivered with that resource are discarded without effect. Its execution is subject to the policy or policies of the including context.
来源:https://www.w3.org/TR/CSP2/#which-policy-applies
更改作为 HTML 元元素提供的 CSP 也不应该:
3.3. HTML meta Element
[...]
Note: Modifications to the content attribute of a meta element after the element has been parsed will be ignored.