Shulou(Shulou.com)06/03 Report--

This article mainly shows you the "sample analysis of content security policy CSP in Html5", which is easy to understand and well-organized. I hope it can help you solve your doubts. Let me lead you to study and learn the article "sample analysis of content security policy CSP in Html5".

Cordova does not support inline events, so click events must be extracted into js. The following is an excerpt from the official website. I hope it will help you.

To alleviate a large number of potential cross-site scripting problems, Chrome's extension system has incorporated the general concept of content security policy (CSP). This introduces some fairly strict policies that make extensions more secure by default and provide you with the ability to create and enforce rules that manage content types that can be loaded and executed by extensions and applications.

In general, CSP acts as a hacker / whitelist mechanism for extending resources loaded or executed by programs. By defining a reasonable strategy for your extension, you can carefully consider the resources needed for the extension and ask the browser to ensure that these resources are the only resources that your extender can access. These policies provide security beyond the host permissions of your extension request; they are an additional layer of protection, not an alternative.

On the network, such policies are defined by HTTP headers or elements. Neither of them is an appropriate mechanism in Chrome's extension system. Instead, the extension policy is defined through the manifest.json file with the extension, as follows:

{... Content_security_policy: "[POLICY STRING GOES HERE]"... }

For complete details on CSP syntax, see the content Security Policy Specification and the article "introduction to content Security Policy" about HTML5Rocks.

Default policy restrictions

There is no defined manifest_version package and no default content security policy. Those who choose manifest_version 2 have a default content security policy:

Script-src'self'; object-src'self'

This policy increases security by restricting extensions and applications in three ways:

(1) Evaluation and related functions are disabled

The following code does not work:

Alert (eval ("foo.bar.baz") of)

Window.setTimeout ("alert ('hi')", 10); window.setInterval ("alert (' hi')", 10); new Function ("return foo.bar.baz")

Evaluating such JavaScript strings is a common XSS attack vector. Instead, you should write the following code:

Alert (foo & & foo.bar & & foo.bar.baz); window.setTimeout (function () {alert ('hi');}, 10); window.setInterval (function () {alert (' hi');}, 10); function () {return foo & & foo.bar & & foo.bar.baz}

(2) inline JavaScript will not be executed

Inline JavaScript will not be executed. This restriction prohibits inline blocks and inline event handlers (for example).

The first restriction eliminates a large number of cross-site scripting attacks by causing you to inadvertently execute scripts provided by malicious third parties. However, it requires you to write code to a clean separation between content and behavior (as you should, of course), right? An example may make this clearer. You may try to write a browser-operated pop-up window that contains as a single popup.html:

My Awesome Popup! Function awesome () {/ / it's great to do sth. } function totalAwesome () {/ / it's great to do sth. } function clickHandler (element) {setTimeout ("awesome (); getherAwesome ()", 1000);} function main () {/ / initialization works here. }

Click awesomeness!

Relax the default policy

(1) inline script

Until Chrome 45, there was no mechanism to relax restrictions on the execution of inline JavaScript. In particular, setting a script policy that contains' unsafe-inline' will not work.

Starting with Chrome 46, inline scripts can be whitelisted by specifying the base64-encoded hash of the source code in the policy. The hash must be prefixed with the hash algorithm used (sha256,sha384 or sha512).

The above is all the content of the article "sample Analysis of content Security Policy CSP in Html5". Thank you for reading! I believe we all have a certain understanding, hope to share the content to help you, if you want to learn more knowledge, welcome to follow the industry information channel!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.