什么是 CSP:
Content Security Policy (CSP) is a computer security standard introduced to prevent cross-site scripting (XSS), clickjacking and other code injection attacks resulting from execution of malicious content in the trusted web page context. It is a Candidate Recommendation of the W3C working group on Web Application Security, widely supported by modern web browsers. CSP provides a standard method for website owners to declare approved origins of content that browsers should be allowed to load on that website — covered types are JavaScript, CSS, HTML frames, web workers, fonts, images, embeddable objects such as Java applets, ActiveX, audio and video files, and other HTML5 features.
详细的文档在这里:
Adam Barth(参与了 HSTS 协议的制定,视频比较老了,那时候还没有2.0版本,这里是友情贴一下) 的一个关于 CSP 的分享:
然后最新版 3.0 的草案也已经制定出来了,在这里:
