本文介绍了内容安全政策是否阻止书签?的处理方法,对大家解决问题具有一定的参考价值,需要的朋友们下面随着小编来一起学习吧!

问题描述

Mozilla是否阻止从默认情况下执行?

Does Mozillas CSP block to execute Javascript from a bookmark by default?

可以这样配置吗?

Can it be configured to do so?

推荐答案

截至2017年,答案仍然是一个可能 - 就像这个答案最初在2011年发布一样。明确指出:

As of 2017, the answer is still a definitive "maybe" - just like when this answer was originally posted in 2011. The specification clearly says:

这确实是我在Chrome 61中看到的行为:小书签将在,一个有str的网站ict内容安全策略,不含 script-src:'unsafe-inline'。然而,在Firefox 56书签将不会运行在这个网站上,并且正在报告CSP违规。

And this is indeed the behavior I see in Chrome 61: a bookmarklet will run on https://addons.mozilla.org/, a site that has a strict content security policy without script-src: 'unsafe-inline'. Yet in Firefox 56 bookmarklets won't run on this website and a CSP violation is being reported.

在这个问题上有一个很长的讨论,特别是链接到。所以到现在为止,你不能真正依赖于书签小程序不受CSP的影响。你总是可以禁用CSP,但是这对你来说是一个重要的保护层。

There is a very long discussion on this issue in the Firefox bug report, in particular linking to a similar discussion on the W3C spec. So as of now, you cannot really rely on bookmarklets being unaffected by CSP. You can always disable CSP altogether, but that's one important protection layer less for you.

这篇关于内容安全政策是否阻止书签?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持!

06-25 23:41
查看更多