118
edits
Security/CSP/XSSModule: Difference between revisions
no edit summary
No edit summary |
No edit summary |
||
| Line 83: | Line 83: | ||
== script-src == | == script-src == | ||
The script-src directive is design give web developers more fine-grained control over from where their web page can load external script. When present the script-src directive has the following effects: | The script-src directive is design give web developers more fine-grained control over from where their web page can load external script. When present the script-src directive has the following effects: | ||
#The browser MUST NOT enforce the restrictions on loading external scripts or plug-in objects given by the block-xss directive because the script-src overrides those restrictions with a finer-grained policy. | #The browser MUST NOT enforce the restrictions on loading external scripts or plug-in objects given by the block-xss directive because the script-src overrides those restrictions with a finer-grained policy. | ||
#The browser MUST NOT load an external script into the current web page unless loading that script respects the | #The browser MUST NOT load an external script into the current web page unless loading that script respects the effective origin-list. | ||
#The browser MUST NOT load an plug-in object into the current web page unless loading that script respects the | #The browser MUST NOT load an plug-in object into the current web page unless loading that script respects the effective origin-list. | ||
In order to mitigate XSS vulnerabilities, the script-src directive SHOULD be used in conjunction with the block-xss directive. | In order to mitigate XSS vulnerabilities, the script-src directive SHOULD be used in conjunction with the block-xss directive. | ||
= Examples = | = Examples = | ||