Is Content Security Policy forward compatible?

2018-07-03 19:26:54

If script-src: hash-source is used in a browser that does not understand hash-source , will the browser ignore all of script-src: , or even all of the CSP? Or will it only ignore the hash-source part?

More generally, do browsers implement CSP in forward compatible manner?

What oreoshake stated about backward compatibility is accurate. The process of determining an element match is described in section 6.6.2.2 of the CSP draft standard: In the presence of hash-source or nonce-source , unsafe-inline is ignored by conforming user agents:

A source list allows all inline behavior of a given type if it contains the keyword-source expression 'unsafe-inline', and does not override that expression as described in the following algorithm:

[...]

If expression matches the nonce-source or hash-source grammar, return "Does Not Allow".

Furthermore, CSP 2 specifies the process of parsing a source list with unknown tokens as follows:

For each token returned by splitting source list on spaces, if the token matches the grammar for source-expression, add the token to the set of source expressions.

Otherwise, it should be ignored. So clearly the authors intended at least a certain level of forward compatibility.

Browsers that do not understand hash source elements may emit a warning in the console, but they may not as well. The recommended approach is to use user agent sniffing to detect support or send both 'unsafe-inline' with your hash source values.

User agents that understand hash sources will ignore the 'unsafe-inline' and those that do not will fallback to the 'unsafe-inline' . So it's backwards compatible.

链接地址: http://www.djcxy.com/p/94184.html

上一篇: 通过Linux路由表ping不工作[OR]这是如何预期的？

下一篇: Content Security Policy是否兼容？