内容安全策略 (CSP) 功能通过向合规浏览器下达策略指令,可减少各类内容注入漏洞,如跨站点脚本 (XSS)。该功能在默认情况下为启用状态。通过向 locked.properties 中添加条目,可重新配置策略指令。

表 1. CSP 属性
属性 值的类型 主默认值 其他默认值
enableCSP true

false

true n/a
content-security-policy directives-list default-src 'self';script-src 'self' 'unsafe-inline' 'unsafe-eval' data:;style-src 'self' 'unsafe-inline';font-src 'self' data: ;frame-ancestors 'none' admin=default-src 'self' https://feedback.esp.vmware.com;script-src https://feedback.esp.vmware.com https://lumos.vmware.com 'unsafe-inline' 'unsafe-eval';style-src 'self' 'unsafe-inline';font-src 'self' data:;img-src 'self' data:;connect-src 'self' https:;frame-ancestors 'none'

portal=default-src 'self';script-src 'self' 'unsafe-inline' 'unsafe-eval' data:;style-src 'self' 'unsafe-inline';font-src 'self' data:;img-src 'self' data: blob:;media-src 'self' blob:;connect-src 'self' wss:;frame-src 'self' blob:;child-src 'self' blob:;object-src 'self' blob:;frame-ancestors 'self'

rest=default-src 'self';script-src 'self' 'unsafe-inline' 'unsafe-eval' data:;style-src 'self' 'unsafe-inline';font-src 'self' data:;img-src 'self' data:;connect-src 'self' https:;frame-ancestors 'none'

x-content-type-options OFF

specification

nosniff n/a
x-frame-options OFF

specification

deny portal = sameorigin
x-xss-protection OFF

specification

1; mode=block n/a
您可以将 CSP 属性添加到 locked.properties 文件中。示例 CSP 属性:
enableCSP = true
content-security-policy = default-src 'self';script-src 'self' 'unsafe-inline' 'unsafe-eval' data:;style-src 'self'
 'unsafe-inline';font-src 'self' data:
content-security-policy-newadmin = default-src 'self';script-src 'self' 'unsafe-inline' 'unsafe-eval' data:;style-src 'self'
 'unsafe-inline';font-src 'self' data:;img-src 'self' data:;connect-src 'self' https:
content-security-policy-portal = default-src 'self';script-src 'self' 'unsafe-inline' 'unsafe-eval' data:;style-src 'self' 
'unsafe-inline';font-src 'self' data:;img-src 'self' data: blob:;media-src 'self' blob:;connect-src 'self' wss:;frame-src 
'self' blob:;child-src 'self' blob:;object-src 'self' blob:
x-content-type-options = nosniff
x-frame-options = deny
x-frame-options-portal = sameorigin
x-xss-protection = 1; mode=block