当前位置:网站首页>About web content security policy directive some test cases specified through meta elements

About web content security policy directive some test cases specified through meta elements

2022-07-07 12:23:00 InfoQ

Content Security Policy  Is a use of headings or  meta  Element to restrict or approve content loaded on a specified web site .  This is a widely supported security standard , All website operators should be aware of these standards .

Use  CSP  By stating that the allowed or disallowed rules are  Web  The website adds a layer of protection .  These rules help protect against content injection and cross site scripting  (XSS)  attack , This is a  OWASP  The top ten  Web  Two of the application security risks .

When an attacker can destroy an unprotected website by injecting malicious code , It will happen  XSS  attack .  When a user tries to interact with a site , The malicious script will execute in the user's browser , This allows attackers to access the victim's interaction with the site , Such as login information .

CSP  Will prevent most script injection attacks from occurring , Because it can be set to  JavaScript  Limit to loading only from trusted locations .

This paper introduces some methods based on  
frame-src
  This  Directive  Various test cases . As a container , Definition  iframe  Of  web  application , Monitor in  3000  port :wechat  Under the folder

null
Embedded another web page , Monitor in  3002  port ,Jerrylist  Under the folder :

null
If  Jerrylist  Under folder  csp html  There is no statement in the  csp  dependent  Directive( adopt  meta  label ), be  iframe  Work well :

null

test 1:3000  application ( Namely embedding  3002  Applied  web  In the application ) increase  frame-src

Source code :

<html>
 <head>
 <meta http-equiv=&quot;Content-Security-Policy&quot; content=&quot;frame-src 'self'&quot;>
 </head>
 <h1>Parent</h1>
 <iframe src=&quot;http://localhost:3002/csp&quot;></iframe>
</html>

null
test result :

Refused to frame 'http://localhost:3002/' because it violates the following Content Security Policy directive: &quot;frame-src 'self'&quot;.

iframe  Loading failed :

null

test 2

null
<html>
 <head>
 <meta http-equiv=&quot;Content-Security-Policy&quot; content=&quot;frame-src 'http://localhost:3002'&quot;>
 </head>
 <h1>Parent</h1>
 <iframe src=&quot;http://localhost:3002/csp&quot;></iframe>
</html>

Error message :

The source list for the Content Security Policy directive 'frame-src' contains an invalid source: ''http://localhost:3002''. It will be ignored.11:25:37.549 localhost/:6 Refused to frame 'http://localhost:3002/' because it violates the following Content Security Policy directive: &quot;frame-src 'none'&quot;.

iframe  Loading failed :

null
Change to  
*
  Words , Back to work :

null
null
The following code also works :

null
<html>
 <head>
 <meta http-equiv=&quot;Content-Security-Policy&quot; content=&quot;frame-src http://localhost:3002/csp&quot;>
 </head>
 <h1>Parent</h1>
 <iframe src=&quot;http://localhost:3002/csp&quot;></iframe>
</html>

The following code also works :

<html>
 <head>
 <meta http-equiv=&quot;Content-Security-Policy&quot; content=&quot;frame-src http://localhost:*/csp&quot;>
 </head>
 <h1>Parent</h1>
 <iframe src=&quot;http://localhost:3002/csp&quot;></iframe>
</html>

null
null
The following code also works :

null
原网站

版权声明
本文为[InfoQ]所创,转载请带上原文链接,感谢
https://yzsam.com/2022/188/202207071007169727.html

边栏推荐

猜你喜欢

随机推荐