如果来自同一来源的多个 HTTP 响应的内容安全策略不同,浏览器如何响应
How does the browser respond if the Content Security Policy is different across multiple HTTP responses from the same Origin
如果浏览器从 URI 请求资源,并且第一个响应的 CSP header 指示仅从 'self' 加载资源,即:
Content-Security-Policy: default-src 'self'
但是后续对同源资源的请求return在他们的 header 中更宽松的 CSP,即:
Content-Security-Policy: default-src 'self' *.trusted.com
浏览器是否应用了指定的最宽松策略?
"The browser does not persist CSP policies across responses, and doesn’t between responses maintain any state information about policies from previous responses." - 同上
如果浏览器从 URI 请求资源,并且第一个响应的 CSP header 指示仅从 'self' 加载资源,即:
Content-Security-Policy: default-src 'self'
但是后续对同源资源的请求return在他们的 header 中更宽松的 CSP,即:
Content-Security-Policy: default-src 'self' *.trusted.com
浏览器是否应用了指定的最宽松策略?
"The browser does not persist CSP policies across responses, and doesn’t between responses maintain any state information about policies from previous responses." - 同上