内容安全策略 (CSP) 功能通过向合规浏览器下达策略指令,可减少各类内容注入漏洞,如跨站点脚本 (XSS)。该功能在默认情况下为启用状态。通过向 locked.properties 中添加条目,可重新配置策略指令。
属性 | 值的类型 | 主默认值 | 其他默认值 |
---|---|---|---|
enableCSP | true false |
true | n/a |
content-security-policy | directives-list | default-src 'self';script-src 'self' 'unsafe-inline' 'unsafe-eval' data:;style-src 'self' 'unsafe-inline';font-src 'self' data: ;frame-ancestors 'none' | admin=default-src 'self' https://feedback.esp.vmware.com;script-src https://feedback.esp.vmware.com 'unsafe-inline' 'unsafe-eval';style-src 'self' 'unsafe-inline';font-src 'self' data:;img-src 'self' data:;connect-src 'self' https:;frame-ancestors 'none' portal=default-src 'self';script-src 'self' 'unsafe-inline' 'unsafe-eval' data:;style-src 'self' 'unsafe-inline';font-src 'self' data:;img-src 'self' data: blob:;media-src 'self' blob:;connect-src 'self' wss:;frame-src 'self' blob:;child-src 'self' blob:;object-src 'self' blob:;frame-ancestors 'self' rest=default-src 'self';script-src 'self' 'unsafe-inline' 'unsafe-eval' data:;style-src 'self' 'unsafe-inline';font-src 'self' data:;img-src 'self' data:;connect-src 'self' https:;frame-ancestors 'none' |
x-content-type-options | OFF specification |
nosniff | n/a |
x-frame-options | OFF specification |
deny | portal = sameorigin |
x-xss-protection | OFF specification |
1; mode=block | n/a |
您可以将 CSP 属性添加到
locked.properties 文件中。示例 CSP 属性:
enableCSP = true content-security-policy = default-src 'self';script-src 'self' 'unsafe-inline' 'unsafe-eval' data:;style-src 'self' 'unsafe-inline';font-src 'self' data: content-security-policy-newadmin = default-src 'self';script-src 'self' 'unsafe-inline' 'unsafe-eval' data:;style-src 'self' 'unsafe-inline';font-src 'self' data:;img-src 'self' data:;connect-src 'self' https: content-security-policy-portal = default-src 'self';script-src 'self' 'unsafe-inline' 'unsafe-eval' data:;style-src 'self' 'unsafe-inline';font-src 'self' data:;img-src 'self' data: blob:;media-src 'self' blob:;connect-src 'self' wss:;frame-src 'self' blob:;child-src 'self' blob:;object-src 'self' blob: x-content-type-options = nosniff x-frame-options = deny x-frame-options-portal = sameorigin x-xss-protection = 1; mode=block