问题描述

据我了解，CSP可用于与 X-XSS-Protection 等相同的所有内容。如果您使用的是CSP，是否还有充分的理由使用 X-XSS-Protection ？

As far as I understand, CSP can be used for all the same things as X-XSS-Protection and more. If you are using CSP, is there any good reason to use X-XSS-Protection as well?

推荐答案

（见下文Kevin的评论）答案可能是肯定的。

With some doubts (see Kevin's comment below) the answer is probably yes.

X-Xss-Protection 激活启发式反射xss检测功能。反射的xss以参数的形式出现，这使得很容易确定潜在攻击的范围。

X-Xss-Protection activates a heuristic, reflected xss detection feature. Reflected xss comes in the form of parameters, which makes it easy to determine the scope of the potential attack.

浏览器执行HTML。根据定义，浏览器无法保证服务器生成的HTML代码的数据安全性。除非您使用CSP，否则无法确定受信任的恶意JavaScript。 CSP允许您选择浏览器执行的javascript。

Browsers execute HTML. By definition browsers cannot provide any guarantees about data safety of server generated HTML code. It is impossible to determine trusted vs malicious javascript... unless you use CSP. CSP allows you to choose what javascript the browser executes.

不允许内联javascript，eval或第三方来源的强制CSP是非常可靠且 x-xss-protection 对大多数用户没什么好处。

An enforced CSP that does not allow inline javascript, eval, or 3rd party sources is pretty solid and x-xss-protection would provide little benefit to most of your users.

如果您的用户的浏览器支持CSP。

<$ c IE已经支持$ c> x-xss-protection 多年。因此，如果有人使用IE< 12，CSP没用， x-xss-protection 可以提供帮助。

x-xss-protection has been supported by IE for many years. So in the case that someone is using IE < 12, CSP is useless where x-xss-protection can help.

所以，是的。都。总是。如果每个网站都部署，互联网将是一个更安全的世界。

So, yes. Both. Always. The internet would be a much safer world if every website deployed both.

我没有挖得太远，但我没有找到使用CSP但不是 x-xss-protection的网站

I haven't dug in too far, but I haven't found a site that uses CSP but not x-xss-protection

for i in twitter.com vine.co github.com
do
   echo "$i"
   curl -Is "https://$i" | grep -iE "(x-xss-protection|content-security-policy)"
done

这篇关于X-XSS-Protection与CSP的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持！