內容安全性原則 (CSP) 功能透過向符合規範的瀏覽器提供原則指令,可減少廣泛類別的內容插入漏洞,例如跨網站指令碼 (XSS)。此功能依預設為啟用狀態。您可以透過將項目新增至 locked.properties 以重新設定原則指令。
內容 | 值類型 | 主要預設值 | 其他預設值 |
---|---|---|---|
enableCSP | true false |
true | n/a |
content-security-policy | directives-list | default-src 'self';script-src 'self' 'unsafe-inline' 'unsafe-eval' data:;style-src 'self' 'unsafe-inline';font-src 'self' data: ;frame-ancestors 'none' | admin=default-src 'self' https://feedback.esp.vmware.com;script-src https://feedback.esp.vmware.com 'unsafe-inline' 'unsafe-eval';style-src 'self' 'unsafe-inline';font-src 'self' data:;img-src 'self' data:;connect-src 'self' https:;frame-ancestors 'none' portal=default-src 'self';script-src 'self' 'unsafe-inline' 'unsafe-eval' data:;style-src 'self' 'unsafe-inline';font-src 'self' data:;img-src 'self' data: blob:;media-src 'self' blob:;connect-src 'self' wss:;frame-src 'self' blob:;child-src 'self' blob:;object-src 'self' blob:;frame-ancestors 'self' rest= default-src 'self';script-src 'self' 'unsafe-inline' 'unsafe-eval' data:;style-src 'self' 'unsafe-inline';font-src 'self' data:;img-src 'self' data:;connect-src 'self' https:;frame-ancestors 'none' |
x-content-type-options | OFF specification |
nosniff | n/a |
x-frame-options | OFF specification |
deny | portal = sameorigin |
x-xss-protection | OFF specification |
1; mode=block | n/a |
您可以將 CSP 內容新增至
locked.properties 檔案。CSP 內容範例:
enableCSP = true content-security-policy = default-src 'self';script-src 'self' 'unsafe-inline' 'unsafe-eval' data:;style-src 'self' 'unsafe-inline';font-src 'self' data: content-security-policy-newadmin = default-src 'self';script-src 'self' 'unsafe-inline' 'unsafe-eval' data:;style-src 'self' 'unsafe-inline';font-src 'self' data:;img-src 'self' data:;connect-src 'self' https: content-security-policy-portal = default-src 'self';script-src 'self' 'unsafe-inline' 'unsafe-eval' data:;style-src 'self' 'unsafe-inline';font-src 'self' data:;img-src 'self' data: blob:;media-src 'self' blob:;connect-src 'self' wss:;frame-src 'self' blob:;child-src 'self' blob:;object-src 'self' blob: x-content-type-options = nosniff x-frame-options = deny x-frame-options-portal = sameorigin x-xss-protection = 1; mode=block