将 Content-Security-Policy 标头添加到 Javascript 资源是否有好处?
[英]Is there a benefit to adding Content-Security-Policy headers to Javascript resources?
问题描述
An automated scanning tool is flagging the fact that our Javascript bundle is not being returned with a Content-Security-Policy header even though the document itself has the header.
一个自动扫描工具正在标记这样一个事实,即我们的 Javascript 包没有返回一个 Content-Security-Policy 标头,即使文档本身有标头。
My understanding is that the Content-Security-Policy header controls the loading of resources within a document.我的理解是 Content-Security-Policy 标头控制文档中资源的加载。 Does it provide any benefit when added to the resources themselves?当它添加到资源本身时,它是否提供任何好处?
1 个解决方案
解决方案1
1 2020-05-12 22:56:48
The short answer is generally no.简短的回答通常是否定的。
The long answer is you need to set your content-types properly.长答案是你需要正确设置你的内容类型。 There is a scenario if you don't set correctly content-type it lead issues unless js files are not static, rendered in the background.有一种情况,如果您没有正确设置内容类型,它会导致问题,除非 js 文件不是静态的,在后台呈现。 If an attacker could find the manipulate first bytes of dynamic JS files, they could run those file context as an HTML.如果攻击者可以找到动态 JS 文件的第一个字节,他们就可以将这些文件上下文作为 HTML 运行。 So if you don't use dynamic JS files or those files don't allow to manipulate first bytes.因此,如果您不使用动态 JS 文件或这些文件不允许操作第一个字节。 You don't need to set CSP policies.您不需要设置 CSP 策略。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.