-
Adding policies through meta tags: The preferred setting method for CSP is the HTTP header, which is very useful, but it is more straightforward to set through tags or scripts. WebKit has implemented the feature of setting permissions through meta elements , so you can now try the following settings in Chrome: add <metahttp-equiv = "X-WebKit-CSP" content = "[POLICY GOES HERE]" in the header of the document >.
-
DOM API: If this feature is added in the next iteration of CSP, you can query the current security policy of the page through Javascript and adjust it according to different situations. For example, if eval () is available, your code implementation may be slightly different.
- content-src: limit the type of connection (such as XHR, WebSockets, and EventSource)
- font-src: Controls the source of web fonts. For example, you can use Google's web fonts through font-src
- img-src: defines the source of the loadable image.
- media-src: Restrict video and audio sources.
- object-src: Restrict sources of Flash and other plugins.
- style-src: Similar to Script-src, but only works on css files.
img-src Valid image source
connect-src Apply to XMLHttpRequest (AJAX), WebSocket or EventSource
font-src Valid font source
object-src Effective plug-in source (eg, , , )
media-src Valid and