如何理解热门网站的内容安全策略(CSP)规则?
How to understand the Content-Security-Policy (CSP) rules by the popular websites?
最近在研究CSP,发现主流网站上有些奇怪的CSP声明。
对于 Facebook,登录后,CSP 是这样的:
default-src * data: blob: 'self';
script-src *.facebook.com *.fbcdn.net *.facebook.net *.google-analytics.com *.google.com 127.0.0.1:* 'unsafe-inline' 'unsafe-eval' blob: data: 'self';
style-src data: blob: 'unsafe-inline' *;
connect-src *.facebook.com facebook.com *.fbcdn.net *.facebook.net wss://*.facebook.com:* wss://*.whatsapp.com:* attachment.fbsbx.com ws://localhost:* blob: *.cdninstagram.com 'self';
block-all-mixed-content;
upgrade-insecure-requests;
让我感到困惑的是 default-src 使用小行星 (*) 然后遵循其他更严格的规则 ('self'):
default-src * data: blob: 'self';
在我最近的研究中,通常不建议使用小行星语法,这会使您的网站不安全。而且我无法弄清楚这条规则的最终效果是什么,如果 self 总是覆盖 *,那么为什么要留下多余的 *.
至于 Twitter,他们的 CSP 是这样的:
connect-src 'self' blob: https://*.giphy.com https://*.pscp.tv https://*.video.pscp.tv https://*.twimg.com https://api.twitter.com https://api-stream.twitter.com https://ads-api.twitter.com https://aa.twitter.com https://caps.twitter.com https://media.riffsy.com https://pay.twitter.com https://sentry.io https://ton.twitter.com https://twitter.com https://upload.twitter.com https://www.google-analytics.com https://app.link https://api2.branch.io https://bnc.lt wss://*.pscp.tv https://vmap.snappytv.com https://vmapstage.snappytv.com https://vmaprel.snappytv.com https://vmap.grabyo.com https://dhdsnappytv-vh.akamaihd.net https://pdhdsnappytv-vh.akamaihd.net https://mdhdsnappytv-vh.akamaihd.net https://mdhdsnappytv-vh.akamaihd.net https://mpdhdsnappytv-vh.akamaihd.net https://mmdhdsnappytv-vh.akamaihd.net https://mdhdsnappytv-vh.akamaihd.net https://mpdhdsnappytv-vh.akamaihd.net https://mmdhdsnappytv-vh.akamaihd.net https://dwo3ckksxlb0v.cloudfront.net ;
default-src 'self';
form-action 'self' https://twitter.com https://*.twitter.com;
font-src 'self' https://*.twimg.com;
frame-src 'self' https://twitter.com https://mobile.twitter.com https://pay.twitter.com https://cards-frame.twitter.com https://accounts.google.com/;
img-src 'self' blob: data: https://*.cdn.twitter.com https://ton.twitter.com https://*.twimg.com https://analytics.twitter.com https://cm.g.doubleclick.net https://www.google-analytics.com https://www.periscope.tv https://www.pscp.tv https://media.riffsy.com https://*.giphy.com https://*.pscp.tv https://*.periscope.tv https://prod-periscope-profile.s3-us-west-2.amazonaws.com https://platform-lookaside.fbsbx.com https://scontent.xx.fbcdn.net https://scontent-sea1-1.xx.fbcdn.net https://*.googleusercontent.com https://imgix.revue.co;
manifest-src 'self';
media-src 'self' blob: https://twitter.com https://*.twimg.com https://*.vine.co https://*.pscp.tv https://*.video.pscp.tv https://*.giphy.com https://media.riffsy.com https://dhdsnappytv-vh.akamaihd.net https://pdhdsnappytv-vh.akamaihd.net https://mdhdsnappytv-vh.akamaihd.net https://mdhdsnappytv-vh.akamaihd.net https://mpdhdsnappytv-vh.akamaihd.net https://mmdhdsnappytv-vh.akamaihd.net https://mdhdsnappytv-vh.akamaihd.net https://mpdhdsnappytv-vh.akamaihd.net https://mmdhdsnappytv-vh.akamaihd.net https://dwo3ckksxlb0v.cloudfront.net;
object-src 'none';
script-src 'self' 'unsafe-inline' https://*.twimg.com https://www.google-analytics.com https://twitter.com https://app.link https://accounts.google.com/gsi/client https://appleid.cdn-apple.com/appleauth/static/jsapi/appleid/1/en_US/appleid.auth.js 'nonce-ODdiNzNlNGYtNjFmNS00ZmYxLWE0ZjctODViNTU5YmI4Zjk5';
style-src 'self' 'unsafe-inline' https://accounts.google.com/gsi/style https://*.twimg.com;
worker-src 'self' blob:;
report-uri https://twitter.com/i/csp_report?a=O5RXE%3D%3D%3D&ro=false
让我困惑的是 script-src:
script-src 'self' 'unsafe-inline' https://*.twimg.com https://www.google-analytics.com https://twitter.com https://app.link https://accounts.google.com/gsi/client https://appleid.cdn-apple.com/appleauth/static/jsapi/appleid/1/en_US/appleid.auth.js 'nonce-ODdiNzNlNGYtNjFmNS00ZmYxLWE0ZjctODViNTU5YmI4Zjk5';
我以为nonce是为了防止unsafe-inline的使用而设计的,但在上面的指令中,两者都存在。同样,我的问题是如果后者覆盖前者,为什么要留下多余的 unsafe-inline.
default-src * data: blob: 'self';
In my recent studies, the asteroid syntax is usually not suggested which will make your website insecure.
这通常是肯定的,但对于 XSS 来说最有潜在危险的是 script-src 和 connect-src 指令有它们自己的源白名单,没有 *.
对于其余的后备指令,星号 * 不是危险源(可能 object-src 除外),相反,它是必需的,因为用于托管图像或媒体内容的第三方主机列表可以无穷无尽。
And I cannot figure out what is the final effect of this rule, if 'self' always overrides *, then why leave a redundant *.
实际上是 * 覆盖了 'self'。是的,'self' 在使用 * 时是多余的。在大公司中,IT 专家不喜欢接触有用的东西。我认为经过一些研究,“self”仍然是一种返祖现象,因为一些较旧的 Safari 有一个错误 'self'。
I thought nonce is designed to prevent the usage of unsafe-inline, but in the above directive, both exist.
这是为了浏览器向后兼容。
在 CSP nonce 存在的情况下,'unsafe-inline' 将被现代浏览器忽略。不支持随机数的旧版浏览器将看到 'unsafe-inline' 并允许执行内联脚本。
最近在研究CSP,发现主流网站上有些奇怪的CSP声明。
对于 Facebook,登录后,CSP 是这样的:
default-src * data: blob: 'self';
script-src *.facebook.com *.fbcdn.net *.facebook.net *.google-analytics.com *.google.com 127.0.0.1:* 'unsafe-inline' 'unsafe-eval' blob: data: 'self';
style-src data: blob: 'unsafe-inline' *;
connect-src *.facebook.com facebook.com *.fbcdn.net *.facebook.net wss://*.facebook.com:* wss://*.whatsapp.com:* attachment.fbsbx.com ws://localhost:* blob: *.cdninstagram.com 'self';
block-all-mixed-content;
upgrade-insecure-requests;
让我感到困惑的是 default-src 使用小行星 (*) 然后遵循其他更严格的规则 ('self'):
default-src * data: blob: 'self';
在我最近的研究中,通常不建议使用小行星语法,这会使您的网站不安全。而且我无法弄清楚这条规则的最终效果是什么,如果 self 总是覆盖 *,那么为什么要留下多余的 *.
至于 Twitter,他们的 CSP 是这样的:
connect-src 'self' blob: https://*.giphy.com https://*.pscp.tv https://*.video.pscp.tv https://*.twimg.com https://api.twitter.com https://api-stream.twitter.com https://ads-api.twitter.com https://aa.twitter.com https://caps.twitter.com https://media.riffsy.com https://pay.twitter.com https://sentry.io https://ton.twitter.com https://twitter.com https://upload.twitter.com https://www.google-analytics.com https://app.link https://api2.branch.io https://bnc.lt wss://*.pscp.tv https://vmap.snappytv.com https://vmapstage.snappytv.com https://vmaprel.snappytv.com https://vmap.grabyo.com https://dhdsnappytv-vh.akamaihd.net https://pdhdsnappytv-vh.akamaihd.net https://mdhdsnappytv-vh.akamaihd.net https://mdhdsnappytv-vh.akamaihd.net https://mpdhdsnappytv-vh.akamaihd.net https://mmdhdsnappytv-vh.akamaihd.net https://mdhdsnappytv-vh.akamaihd.net https://mpdhdsnappytv-vh.akamaihd.net https://mmdhdsnappytv-vh.akamaihd.net https://dwo3ckksxlb0v.cloudfront.net ;
default-src 'self';
form-action 'self' https://twitter.com https://*.twitter.com;
font-src 'self' https://*.twimg.com;
frame-src 'self' https://twitter.com https://mobile.twitter.com https://pay.twitter.com https://cards-frame.twitter.com https://accounts.google.com/;
img-src 'self' blob: data: https://*.cdn.twitter.com https://ton.twitter.com https://*.twimg.com https://analytics.twitter.com https://cm.g.doubleclick.net https://www.google-analytics.com https://www.periscope.tv https://www.pscp.tv https://media.riffsy.com https://*.giphy.com https://*.pscp.tv https://*.periscope.tv https://prod-periscope-profile.s3-us-west-2.amazonaws.com https://platform-lookaside.fbsbx.com https://scontent.xx.fbcdn.net https://scontent-sea1-1.xx.fbcdn.net https://*.googleusercontent.com https://imgix.revue.co;
manifest-src 'self';
media-src 'self' blob: https://twitter.com https://*.twimg.com https://*.vine.co https://*.pscp.tv https://*.video.pscp.tv https://*.giphy.com https://media.riffsy.com https://dhdsnappytv-vh.akamaihd.net https://pdhdsnappytv-vh.akamaihd.net https://mdhdsnappytv-vh.akamaihd.net https://mdhdsnappytv-vh.akamaihd.net https://mpdhdsnappytv-vh.akamaihd.net https://mmdhdsnappytv-vh.akamaihd.net https://mdhdsnappytv-vh.akamaihd.net https://mpdhdsnappytv-vh.akamaihd.net https://mmdhdsnappytv-vh.akamaihd.net https://dwo3ckksxlb0v.cloudfront.net;
object-src 'none';
script-src 'self' 'unsafe-inline' https://*.twimg.com https://www.google-analytics.com https://twitter.com https://app.link https://accounts.google.com/gsi/client https://appleid.cdn-apple.com/appleauth/static/jsapi/appleid/1/en_US/appleid.auth.js 'nonce-ODdiNzNlNGYtNjFmNS00ZmYxLWE0ZjctODViNTU5YmI4Zjk5';
style-src 'self' 'unsafe-inline' https://accounts.google.com/gsi/style https://*.twimg.com;
worker-src 'self' blob:;
report-uri https://twitter.com/i/csp_report?a=O5RXE%3D%3D%3D&ro=false
让我困惑的是 script-src:
script-src 'self' 'unsafe-inline' https://*.twimg.com https://www.google-analytics.com https://twitter.com https://app.link https://accounts.google.com/gsi/client https://appleid.cdn-apple.com/appleauth/static/jsapi/appleid/1/en_US/appleid.auth.js 'nonce-ODdiNzNlNGYtNjFmNS00ZmYxLWE0ZjctODViNTU5YmI4Zjk5';
我以为nonce是为了防止unsafe-inline的使用而设计的,但在上面的指令中,两者都存在。同样,我的问题是如果后者覆盖前者,为什么要留下多余的 unsafe-inline.
default-src * data: blob: 'self';In my recent studies, the asteroid syntax is usually not suggested which will make your website insecure.
这通常是肯定的,但对于 XSS 来说最有潜在危险的是 script-src 和 connect-src 指令有它们自己的源白名单,没有 *.
对于其余的后备指令,星号 * 不是危险源(可能 object-src 除外),相反,它是必需的,因为用于托管图像或媒体内容的第三方主机列表可以无穷无尽。
And I cannot figure out what is the final effect of this rule, if
'self'always overrides *, then why leave a redundant*.
实际上是 * 覆盖了 'self'。是的,'self' 在使用 * 时是多余的。在大公司中,IT 专家不喜欢接触有用的东西。我认为经过一些研究,“self”仍然是一种返祖现象,因为一些较旧的 Safari 有一个错误 'self'。
I thought
nonceis designed to prevent the usage ofunsafe-inline, but in the above directive, both exist.
这是为了浏览器向后兼容。
在 CSP nonce 存在的情况下,'unsafe-inline' 将被现代浏览器忽略。不支持随机数的旧版浏览器将看到 'unsafe-inline' 并允许执行内联脚本。