Shulou(Shulou.com)06/01 Report--

The security policy of CSP was reviewed a long time ago, and many people refer to it as the Terminator of XSS***, because this strategy is no longer like the traditional method of identifying cross-site Payload only by various regularities and feature matching, but directly kills some uses with security risks directly from the protocol layer, giving full play to the homology domain. Put some of the content into txt before, post it here for memo:)

1) CSP policy does not allow the use of data URIs resources by default. If you want to use data URIs resources, you need to display the specified ones, such as: img-src 'self' data:

2) BypassCSP through split injection of CRLF corresponding headers needs to insert new corresponding headers under the original CSP. When dealing with Http headers with the same name, a few browsers are set according to the first occurrence, and most of them are set according to the last Http header with the same name. Twice.

3) script-src: setting "unsafe-inline" when dealing with script resources can prevent the execution of inline Js code. Use the unsafe-eval switch to disable the execution of the eval,setTimeout,setInterval function.

4) object-src: controls objects such as embed,code,archive applet.

5) style-src: controls the URI resources introduced by stylesheets @ import and rel. Setting unsafe-inline rules can be caused by browsers refusing to parse internal styles and inline style definitions. Does not prevent linking to external stylesheets.

6) img-src: you can control the connection of image resources, including the src attribute of the img tag, the url () and p_w_picpath () methods in CSS3, and the href attribute in the link tag (when rel is set to an image-related value, such as icon supported by HTML)

7) media-src: controls the src attributes of external link resources of media types, such as video, audio, source, and track tags.

8) frame-src: controls the external page links contained in the embedded frame: iframe or a frame.

9) font-src: controls @ font-face in CSS

10) connect-src: control open (), WebSocket,EventSource in XMLHttpRequest

11) inline script and eval type functions (including eval, setInterval, setTimeout, and new Function ()) are not executed. In addition, data URIs is not allowed by default. XBL only allows XBL in the form of uri requests via chrome: and resource:, while other XBL specified through [xss_clean] in CSS is not allowed to be executed.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.