javascript - 使用 Ember/JavaScript 的动态内容安全策略

Question

我们有一个基于 Ember 的网站，该网站分为两个概念部分，需要各自的内容安全策略。当前有一个应用于 index.html 的 CSP。

浏览器是否可以在页面加载后遵循 API/服务器响应中发送的 Content-Security-Policy header ？我尝试在 API 响应中发送此 header ，但 Chrome 似乎不支持它。

Answer 1

由于 CSP 规范(2016 年 12 月 15 日第 2 级)，这应该是不可能的:

3.5. Policy applicability

This section is not normative.

Policies are associated with an protected resource, and enforced or monitored for that resource. If a resource does not create a new execution context (for example, when including a script, image, or stylesheet into a document), then any policies delivered with that resource are discarded without effect. Its execution is subject to the policy or policies of the including context.

来源:https://www.w3.org/TR/CSP2/#which-policy-applies

更改作为 HTML 元元素提供的 CSP 也不应该:

3.3. HTML meta Element

[...]

Note: Modifications to the content attribute of a meta element after the element has been parsed will be ignored.

来源:https://www.w3.org/TR/CSP2/#delivery-html-meta-element