內容安全性原則 (CSP) 功能透過向符合規範的瀏覽器提供原則指令,可減少廣泛類別的內容插入漏洞,例如跨網站指令碼 (XSS)。此功能依預設為啟用狀態。您可以透過將項目新增至 locked.properties 以重新設定原則指令。

表 1. CSP 內容
內容 值類型 主要預設值 其他預設值
enableCSP true

false

true n/a
content-security-policy directives-list default-src 'self';script-src 'self' 'unsafe-inline' 'unsafe-eval' data:;style-src 'self' 'unsafe-inline';font-src 'self' data: ;frame-ancestors 'none'

admin=default-src 'self' https://feedback.esp.vmware.com;script-src https://feedback.esp.vmware.com 'unsafe-inline' 'unsafe-eval';style-src 'self' 'unsafe-inline';font-src 'self' data:;img-src 'self' data:;connect-src 'self' https:;frame-ancestors 'none'

portal = default-src 'self';script-src 'self' 'unsafe-inline' 'unsafe-eval' data:;style-src 'self' 'unsafe-inline';font-src 'self' data:;img-src 'self' data: blob:;media-src 'self' blob:;connect-src 'self' wss:;frame-src 'self' blob:;child-src 'self' blob:;object-src 'self' blob:;frame-ancestors 'self'

rest= default-src 'self';script-src 'self' 'unsafe-inline' 'unsafe-eval' data:;style-src 'self' 'unsafe-inline';font-src 'self' data:;img-src 'self' data:;connect-src 'self' https:;frame-ancestors 'none'

x-content-type-options OFF

specification

nosniff n/a
x-frame-options OFF

specification

deny portal = sameorigin
x-xss-protection OFF

specification

1; mode=block n/a
您可以將 CSP 內容新增至 locked.properties 檔案。CSP 內容範例:
enableCSP = true
content-security-policy = default-src 'self';script-src 'self' 'unsafe-inline' 'unsafe-eval' data:;style-src 'self'
 'unsafe-inline';font-src 'self' data:
content-security-policy-newadmin = default-src 'self';script-src 'self' 'unsafe-inline' 'unsafe-eval' data:;style-src 'self'
 'unsafe-inline';font-src 'self' data:;img-src 'self' data:;connect-src 'self' https:
content-security-policy-portal = default-src 'self';script-src 'self' 'unsafe-inline' 'unsafe-eval' data:;style-src 'self' 
'unsafe-inline';font-src 'self' data:;img-src 'self' data: blob:;media-src 'self' blob:;connect-src 'self' wss:;frame-src 
'self' blob:;child-src 'self' blob:;object-src 'self' blob:
x-content-type-options = nosniff
x-frame-options = deny
x-frame-options-portal = sameorigin
x-xss-protection = 1; mode=block