堆栈内存溢出
  简体   繁体   English

为Feature-Policy HTTP标头设置默认值

[英]Set a default for Feature-Policy HTTP header

 原文  2018-11-09 13:51:54       http/ browser/ header/ http-headers/ content-security-policy

问题描述

For HTTP Feature-Policy header you can set the features mentioned in https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Feature-Policy individually. 对于HTTP Feature-Policy标头,您可以分别设置https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Feature-Policy中提到的功能。 But how can I set a default? 但是如何设置默认值?

You can do it for Content-Security-Policy by setting default-src , is there an equivalent for Feature-Policy ? 您可以通过设置default-srcContent-Security-Policy做到这一点, Feature-Policy是否等效?

It would be more convenient than setting each of the numerous features individually, especially because you'll have to keep that list up to date as new features are added. 这将比分别设置众多功能中的每一个功能更为方便,特别是因为添加新功能时,您必须使该列表保持最新。

1 个解决方案

解决方案1
 0  2019-02-19 13:47:48

There is an active discussion of this issue here: 这里对此问题进行了积极的讨论:

https://github.com/w3c/webappsec-feature-policy/issues/189 https://github.com/w3c/webappsec-feature-policy/issues/189

Summarising the github thread, the main issue with having a default policy is that you might be using a feature that later becomes subject to a policy. 总结一下github线程,拥有default策略的主要问题是您可能正在使用某个功能,该功能以后将要服从策略。 Your website will then break, and as a result, browser vendors will either not ship the new feature or will be unwilling to make it subject to a policy, and feature policy as a concept will be dead in the water. 然后,您的网站将崩溃,结果,浏览器供应商将要么不提供新功能,要么不愿意将其置于政策之下,而作为一项概念的功能政策将陷入困境。

There are a number of possible solutions to this: 有许多可能的解决方案:

  • Make default refer not just to all the existing policies, but everything that might be subject to a policy, by throwing the net incredibly wide. 通过使网络难以置信地广泛传播,使default引用所有现有策略,而且还引用可能受策略限制的所有内容 This would disable virtually all DOM, browser and network APIs. 这实际上将禁用所有DOM,浏览器和网络API。 But it seems likely that you'd want to use some of this stuff, making the directive pretty useless. 但是您似乎可能想使用其中的一些东西,从而使该指令变得毫无用处。
  • Don't implement default but add some immutable 'bundle' policies. 不要实现default而是添加一些不变的“捆绑”策略。 When you adopt the bundle, you know what it is contains, and that won't change, but as new policies are introduced, we can create new larger, more restrictive bundles, without breaking sites that have adopted the previous bundles. 当您采用捆绑软件时,您会知道它包含的内容,并且不会改变,但是随着新策略的推出,我们可以创建更大,更严格的捆绑软件,而不会破坏采用先前捆绑软件的站点。 This is my suggestion 这是我的建议

暂无
暂无

声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.

相关问题 默认设置HTTP header为Postman上的所有请求 - Set HTTP header to all requests on Postman by default 在tcl http中将默认的http标头请求设置为空 - set default http header request to empty in tcl http 在flutter http请求中为所有请求设置默认标头的最佳方法 - Best way to set default header for all request in flutter http request 在Go中添加默认的HTTP标头 - Adding a default HTTP header in Go $ http设置标头错误-angularjs - $http set header bug - angularjs 什么是Squid的默认缓存策略,没有Cache-Control标头? - What is Squid's default caching policy with no Cache-Control header? 如何在HTTP响应中设置标头? - How to set a header in an HTTP response? Tomcat 7 可以配置为插入“Content-Security-Policy”HTTP 标头吗? - Can Tomcat 7 be configured to insert “Content-Security-Policy” HTTP header? HTTP Content-Security-Policy 是按页面还是按 GET 设置的? - Is HTTP Content-Security-Policy set per page or per GET? 是否必须在http标头中设置cookie? - Does a cookie have to be set in the http header?
相关标签
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM