CSP (Content-Security-Policy) is a front-end security mechanism that prevents malicious code injection such as XSS. 1. It declares which resources can be loaded and executed through the HTTP response header. The core idea is the "whitelist" policy; 2. The setting method is to add Content-Security-Policy fields to the server response header, such as default-src, script-src and other instructions to control different resource types; 3. Inline scripts and eval are blocked by default, and can be temporarily allowed through nonce or hash, but external script files are recommended; 4. Content-Security-Policy-Report-Only can be used for testing and collecting violation reports during the development stage. After it is launched, strict policies are enabled to ensure normal security and functions.
CSP (Content Security Policy) is an important mechanism for front-end security, which can effectively prevent malicious code injection behaviors such as XSS (cross-site scripting attacks). Properly configuring CSP in JavaScript projects can not only enhance the security of the website, but also avoid some unnecessary resource loading problems.
What is CSP?
Simply put, CSP is a declarative security mechanism that uses the HTTP response header Content-Security-Policy to tell the browser which resources can be loaded, executed and which cannot be. For example, you can restrict the page from loading scripts of the same origin, prohibit the execution of inline scripts, and do not allow the loading of pictures of unknown origin, etc.
The core idea of CSP is "whitelist", which means that only content you trust is allowed to run, and all other things will be intercepted. This is especially important for modern web applications, especially sites that use a large number of third-party scripts or user-generated content.
How to set up a CSP?
The most common way to enable CSP is to add Content-Security-Policy field in the server response header. For example:
Content-Security-Policy: default-src 'self'; script-src 'self' https://trusted-cdn.com
The above line indicates that by default all resources can only be loaded from the current domain name, and the script can also be loaded from https://trusted-cdn.com .
Common instructions include:
-
default-src: Default policy, applicable to resource types that are not specified separately. -
script-src: Controls where JS can be loaded. -
style-src: controls CSS loading. -
img-src: controls the source of the image. -
connect-src: Controls the destination address of AJAX request. -
object-src: Controls the loading of plug-ins such as Flash (it's basically not used now). -
font-src: font file source. -
frame-srcorchild-src: the source of nested content such as iframe.
You can combine these instructions according to actual needs and gradually tighten the strategy.
Issues with inline scripts and eval
For convenience, many websites will write <script>...</script> directly or use eval() to execute string code. But CSP blocks this type of behavior by default because they are a common entry point for XSS attacks.
If you have to use inline scripts, there are several ways to bypass the limitations:
Use
nonce: Add a one-time key to a specific<script>tag, and the server declares that nonce is allowed in the CSP.Example:
Content-Security-Policy: script-src 'nonce-abc123';
HTML:
<script nonce="abc123">alert('allowed');</script>
Use
hash: hash the content of the inline script and allows the hash in the policy.Example:
Content-Security-Policy: script-src 'sha256-abc...';
However, neither method is recommended to use frequently because it is troublesome to maintain and is prone to errors. A more recommended approach is to move the script to an external file, which makes it easier to manage and review.
As for methods that dynamically execute code such as eval() and new Function() , by default, it is controlled by 'unsafe-eval' . It is recommended to avoid using it as much as possible or explicitly prohibit it.
Strategic differences between development and online stages
In development environments, we usually want to debug easily, so CSP can be a little looser, such as allowing scripts from any source to load, or even allowing inline scripts. However, when it comes to the production environment, strict restrictions should be strictly allowed to load only necessary resources.
It can be achieved through two different policy headers:
-
Content-Security-Policyfor online environments - Use
Content-Security-Policy-Report-Onlyin the development environment. This header will not really prevent resource loading, it will only report violations, which is suitable for testing.
For example:
Content-Security-Policy-Report-Only: default-src 'self'; report-uri /csp-violation-report-endpoint/
In this way, you can observe whether the current page violates CSP without interrupting the function, and then gradually adjust the strategy.
In addition, it is recommended to do a complete CSP check before deployment to ensure that there are no missing key resources, otherwise the page function may be abnormal.
Basically that's it. CSP is not complicated but it is easy to ignore details. Especially in large-scale projects, it is very important to plan a good strategic structure in the early stage.
The above is the detailed content of Deep Dive into JavaScript Content Security Policy (CSP). For more information, please follow other related articles on the PHP Chinese website!
Hot AI Tools
Undress AI Tool
Undress images for free
Undresser.AI Undress
AI-powered app for creating realistic nude photos
AI Clothes Remover
Online AI tool for removing clothes from photos.
Clothoff.io
AI clothes remover
Video Face Swap
Swap faces in any video effortlessly with our completely free AI face swap tool!
Hot Article
Hot Tools
Notepad++7.3.1
Easy-to-use and free code editor
SublimeText3 Chinese version
Chinese version, very easy to use
Zend Studio 13.0.1
Powerful PHP integrated development environment
Dreamweaver CS6
Visual web development tools
SublimeText3 Mac version
God-level code editing software (SublimeText3)
Hot Topics
What is Content Security Policy (CSP) header and why is it important?
Apr 09, 2025 am 12:10 AM
CSP is important because it can prevent XSS attacks and limit resource loading, improving website security. 1.CSP is part of HTTP response headers, limiting malicious behavior through strict policies. 2. The basic usage is to only allow loading resources from the same origin. 3. Advanced usage can set more fine-grained strategies, such as allowing specific domain names to load scripts and styles. 4. Use Content-Security-Policy-Report-Only header to debug and optimize CSP policies.
PHP8.1 released: supports CSP (Content Security Policy)
Jul 09, 2023 pm 06:52 PM
PHP8.1 released: supports CSP (Content Security Policy). With the development of the Internet, network security issues have increasingly become the focus of attention. In order to protect users' privacy and security, more websites are beginning to adopt Content Security Policy (CSP) to limit the content that can be executed and the resources that can be loaded in web pages. In the latest release of PHP 8.1, native support for CSP has been introduced, providing developers with better tools to enhance the security of web pages. CSP allows web page developers to restrict web pages by specifying the resource sources that are allowed to be loaded.
Microsoft shares helpful Group Policy tutorials to get the most out of Windows Updates
May 02, 2023 pm 09:22 PM
Microsoft has shared a helpful reference for organizations to set appropriate Group Policy settings for various devices. These include: Single-user or personal devices Multi-user devices Educational devices Kiosks and billboards Factory machines, roller coasters and the like Microsoft Teams meeting room devices However, the company recommends using the default settings for most use cases. The policy discussed here can be found here: Policy CSP - Update Management Single-User Devices A single-user device is a user-owned or company-owned device that is used by one person. In addition to personal computing tasks, these devices can be used for mixed work activities, including meetings, presentations, and any number of other tasks. As with any of these tasks, interruptions can hinder productivity. Given that these devices often connect to corporate networks and access sensitive information
Concurrency patterns in Go: CSP and message passing
Jun 02, 2024 pm 01:08 PM
When programming concurrently in Go, it is crucial to understand and use appropriate patterns. CSP is a concurrency mode based on sequential processes, implemented using Goroutine, and is suitable for simple communication. Message passing is a pattern that uses channels as message queues for communication, and is suitable for complex or multiple Goroutine interaction scenarios. In practical applications, CSP can be used to implement simple message services, sending and receiving messages between different Goroutines through channels.
Deep Dive into JavaScript Content Security Policy (CSP)
Jul 17, 2025 am 02:59 AM
CSP (Content-Security-Policy) is a front-end security mechanism that prevents malicious code injection such as XSS. 1. It declares which resources can be loaded and executed through the HTTP response header. The core idea is the "whitelist" strategy; 2. The setting method is to add Content-Security-Policy fields to the server response header, such as default-src, script-src and other instructions to control different resource types; 3. Inline scripts and eval are blocked by default, and can be temporarily allowed through nonce or hash, but it is recommended to use external script files; 4. Content-Security-Policy-Report can be used in the development stage.
Understanding Content Security Policy (CSP)
Jul 26, 2025 am 07:28 AM
CSPisacriticalsecuritymeasurethathelpspreventXSS,clickjacking,andcodeinjectionattacksbyrestrictingwhichresourcesabrowsercanload.1.ItworksviatheContent-Security-PolicyHTTPheader,enforcingawhitelistoftrustedsources.2.Keydirectivesincludedefault-src,scr
Advanced CSP Directives for JavaScript Applications
Jul 30, 2025 am 12:37 AM
Advanced CSP skills include: 1. Use 'strict-dynamic' to achieve secure loading of dynamic scripts, and cooperate with random nonce to ensure the legitimacy of dynamically generated scripts; 2. Use connect-src and frame-src to control the network requests and iframe embedding sources of third-party SDKs; 3. Remove 'unsafe-eval' to disable the execution of eval-type functions; 4. Use report-to to report violations, which are used to debug and monitor CSP execution. These methods enhance security while ensuring the functionality of modern SPA applications.
Enhancing Security with Content Security Policy (CSP) in HTML
Jul 15, 2025 am 02:43 AM
CSP is a mechanism to improve web page security by limiting the source of resource loading. The core is to set policies through HTTP headers or meta tags, and control the browser to load only scripts, styles and other resources from the specified source to prevent XSS attacks. To configure CSP, you need to set the Content-Security-Policy header, such as default-src'self' limits the default resource source, script-src specifies the script source that is allowed to be loaded, and style-src controls stylesheet loading. Frequently asked questions after enabled include the resource being intercepted by mistake, which can be reported through report-uri, report-Only mode testing, avoiding the use of 'unsafe-inline' and 'unsaf
