document/TranslateProject
2
0
Fork 0
mirror of https://github.com/LCTT/TranslateProject.git synced 2025-01-25 23:11:02 +08:00
Code Issues Packages Projects Releases Wiki Activity

translated 20160912 Content Security Policy, Your Future Best Friend.md

Browse Source
This commit is contained in:
Jinwen Zhang 2016-10-10 00:10:01 +08:00
parent 4b43d4c084
commit 2f1c7de89b
2 changed files with 258 additions and 258 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

258
sources/tech/20160912 Content Security Policy, Your Future Best Friend.md
View File

@ -1,258 +0,0 @@
wcnnbdk1 Translating
Content Security Policy, Your Future Best Friend
=====
A long time ago, my personal website was attacked. I do not know how it happened, but it happened. Fortunately, the damage from the attack was quite minor: A piece of JavaScript was inserted at the bottom of some pages. I updated the FTP and other credentials, cleaned up some files, and that was that.
One point made me mad: At the time, there was no simple solution that could have informed me there was a problem and — more importantly — that could have protected the websites visitors from this annoying piece of code.
A solution exists now, and it is a technology that succeeds in both roles. Its name is content security policy (CSP).
### What Is A CSP? Link
The idea is quite simple: By sending a CSP header from a website, you are telling the browser what it is authorized to execute and what it is authorized to block.
Here is an example with PHP:
```
<?php
header("Content-Security-Policy: <your directives>");
?>
```
#### SOME DIRECTIVES LINK
You may define global rules or define rules related to a type of asset:
```
default-src 'self' ;
# self = same port, same domain name, same protocol => OK
```
The base argument is default-src: If no directive is defined for a type of asset, then the browser will use this value.
```
script-src 'self' www.google-analytics.com ;
# JS files on these domains => OK
```
In this example, weve authorized the domain name www.google-analytics.com as a source of JavaScript files to use on our website. Weve added the keyword 'self'; if we redefined the directive script-src with another rule, it would override default-src rules.
If no scheme or port is specified, then it enforces the same scheme or port from the current page. This prevents mixed content. If the page is https://example.com, then you wouldnt be able to load http://www.google-analytics.com/file.js because it would be blocked (the scheme wouldnt match). However, there is an exception to allow a scheme upgrade. If http://example.com tries to load https://www.google-analytics.com/file.js, then the scheme or port would be allowed to change to facilitate the scheme upgrade.
```
style-src 'self' data: ;
# Data-Uri in a CSS => OK
```
In this example, the keyword data: authorizes embedded content in CSS files.
Under the CSP level 1 specification, you may also define rules for the following:
- `img-src`
valid sources of images
- `connect-src`
applies to XMLHttpRequest (AJAX), WebSocket or EventSource
- `font-src`
valid sources of fonts
- `object-src`
valid sources of plugins (for example, `<object>, <embed>, <applet>`)
- `media-src`
valid sources of `<audio> and <video>`
CSP level 2 rules include the following:
- `child-src`
valid sources of web workers and elements such as `<frame>` and `<iframe>` (this replaces the deprecated frame-src from CSP level 1)
- `form-action`
valid sources that can be used as an HTML `<form>` action
- `frame-ancestors`
valid sources for embedding the resource using `<frame>, <iframe>, <object>, <embed> or <applet>`.
- `upgrade-insecure-requests`
instructs user agents to rewrite URL schemes, changing HTTP to HTTPS (for websites with a lot of old URLs that need to be rewritten).
For better backwards-compatibility with deprecated properties, you may simply copy the contents of the actual directive and duplicate them in the deprecated one. For example, you may copy the contents of child-src and duplicate them in frame-src.
CSP 2 allows you to whitelist paths (CSP 1 allows only domains to be whitelisted). So, rather than whitelisting all of www.foo.com, you could whitelist www.foo.com/some/folder to restrict it further. This does require CSP 2 support in the browser, but it is obviously more secure.
#### AN EXAMPLE
I made a simple example for the Paris Web 2015 conference, where I presented a talk entitled “[CSP in Action][1].”
Without CSP, the page would look like this:
![](https://www.smashingmagazine.com/wp-content/uploads/2016/09/csp_smashing1b-500.jpg)
Not very nice. What if we enabled the following CSP directives?
```
<?php
header("Content-Security-Policy:
default-src 'self' ;
script-src 'self' www.google-analytics.com stats.g.doubleclick.net ;
style-src 'self' data: ;
img-src 'self' www.google-analytics.com stats.g.doubleclick.net data: ;
frame-src 'self' ;");
?>
```
What would the browser do? It would (very strictly) apply these directives under the primary rule of CSP, which is that anything not authorized in a CSP directive will be blocked (“blocked” meaning not executed, not displayed and not used by the website).
By default in CSP, inline scripts and styles are not authorized, which means that every `<script>`, onclick or style attribute will be blocked. You could authorize inline CSS with style-src 'unsafe-inline' ;.
In a modern browser with CSP support, the example would look like this:
![](https://www.smashingmagazine.com/wp-content/uploads/2016/09/csp_smashing5-500.jpg)
What happened? The browser applied the directives and rejected anything that was not authorized. It sent these notifications to the console:
![](https://www.smashingmagazine.com/wp-content/uploads/2016/09/csp_smashing2-500.jpg)
If youre still not convinced of the value of CSP, have a look at Aaron Gustafsons article “[More Proof We Dont Control Our Web Pages][2].”
Of course, you may use stricter directives than the ones in the example provided above:
- set default-src to 'none',
- specify what you need for each rule,
- specify the exact paths of required files,
- etc.
### More Information On CSP
#### SUPPORT
CSP is not a nightly feature requiring three flags to be activated in order for it to work. CSP levels 1 and 2 are candidate recommendations! [Browser support for CSP level 1][3] is excellent.
![](https://www.smashingmagazine.com/wp-content/uploads/2016/09/csp_smashing3-500.jpg)
The [level 2 specification][4] is more recent, so it is a bit less supported.
![](https://www.smashingmagazine.com/wp-content/uploads/2016/09/csp_smashing4-500.jpg)
CSP level 3 is an early draft now, so it is not yet supported, but you can already do great things with levels 1 and 2.
#### OTHER CONSIDERATIONS
CSP has been designed to reduce cross-site scripting (XSS) risks, which is why enabling inline scripts in script-src directives is not recommended. Firefox illustrates this issue very nicely: In the browser, hit Shift + F2 and type security csp, and it will show you directives and advice. For example, here it is used on Twitters website:
![](https://www.smashingmagazine.com/wp-content/uploads/2016/09/csp_smashing6b-500.jpg)
Another possibility for inline scripts or inline styles, if you really have to use them, is to create a hash value. For example, suppose you need to have this inline script:
```
<script>alert('Hello, world.');</script>
```
You might add 'sha256-qznLcsROx4GACP2dm0UCKCzCG-HiZ1guq6ZZDob_Tng=' as a valid source in your script-src directives. The hash generated is the result of this in PHP:
```
<?php
echo base64_encode(hash('sha256', "alert('Hello, world.');", true));
?>
```
I said earlier that CSP is designed to reduce XSS risks — I could have added, “… and reduce the risks of unsolicited content.” With CSP, you have to know where your sources of content are and what they are doing on your front end (inline styles, etc.). CSP can also help you force contributors, developers and others to respect your rules about sources of content!
Now your question is, “OK, this is great, but how do we use it in a production environment?”
### How To Use It In The Real World
The easiest way to get discouraged with using CSP the first time is to test it in a live environment, thinking, “This will be easy. My code is bad ass and perfectly clean.” Dont do this. I did it. Its stupid, trust me.
As I explained, CSP directives are activated with a CSP header — there is no middle ground. You are the weak link here. You might forget to authorize something or forget a piece of code on your website. CSP will not forgive your oversight. However, two features of CSP greatly simplify this problem.
#### REPORT-URI
Remember the notifications that CSP sends to the console? The directive report-uri can be used to tell the browser to send them to the specified address. Reports are sent in JSON format.
```
report-uri /csp-parser.php ;
```
So, in the csp-parser.php file, we can process the data sent by the browser. Here is the most basic example in PHP:
```
$data = file_get_contents('php://input');
if ($data = json_decode($data, true)) {
$data = json_encode(
$data,
JSON_PRETTY_PRINT | JSON_UNESCAPED_SLASHES
);
mail(EMAIL, SUBJECT, $data);
}
```
This notification will be transformed into an email. During development, you might not need anything more complex than this.
For a production environment (or a more visited development environment), youd better use a way other than email to collect information, because there is no auth or rate limiting on the endpoint, and CSP can be very noisy. Just imagine a page that generates 100 CSP notifications (for example, a script that display images from an unauthorized source) and that is viewed 100 times a day — you could get 10,000 notifications a day!
A service such as report-uri.io can be used to simplify the management of reporting. You can see other simple examples for report-uri (with a database, with some optimizations, etc.) on GitHub.
### REPORT-ONLY
As we have seen, the biggest issue is that there is no middle ground between CSP being enabled and disabled. However, a feature named report-only sends a slightly different header:
```
<?php
header("Content-Security-Policy-Report-Only: <your directives>");
?>
```
Basically, this tells the browser, “Act as if these CSP directives were being applied, but do not block anything. Just send me the notifications.” It is a great way to test directives without the risk of blocking any required assets.
With report-only and report-uri, you can test CSP directives with no risk, and you can monitor in real time everything CSP-related on a website. These two features are really powerful for deploying and maintaining CSP!
### Conclusion
#### WHY CSP IS COOL
CSP is most important for your users: They dont have to suffer any unsolicited scripts or content or XSS vulnerabilities on your website.
The most important advantage of CSP for website maintainers is awareness. If youve set strict rules for image sources, and a script kiddie attempts to insert an image on your website from an unauthorized source, that image will be blocked, and you will be notified instantly.
Developers, meanwhile, need to know exactly what their front-end code does, and CSP helps them master that. They will be prompted to refactor parts of their code (avoiding inline functions and styles, etc.) and to follow best practices.
#### HOW CSP COULD BE EVEN COOLER LINK
Ironically, CSP is too efficient in some browsers — it creates bugs with bookmarklets. So, do not update your CSP directives to allow bookmarklets. We cant blame any one browser in particular; all of them have issues:
- Firefox
- Chrome (Blink)
- WebKit
Most of the time, the bugs are false positives in blocked notifications. All browser vendors are working on these issues, so we can expect fixes soon. Anyway, this should not stop you from using CSP.
--------------------------------------------------------------------------------
via: https://www.smashingmagazine.com/2016/09/content-security-policy-your-future-best-friend/?utm_source=webopsweekly&utm_medium=email
作者:[Nicolas Hoffmann][a]
译者:[译者ID](https://github.com/译者ID)
校对:[校对者ID](https://github.com/校对者ID)
本文由 [LCTT](https://github.com/LCTT/TranslateProject) 原创编译,[Linux中国](https://linux.cn/) 荣誉推出
[a]: https://www.smashingmagazine.com/author/nicolashoffmann/
[1]: https://rocssti.net/en/example-csp-paris-web2015
[2]: https://www.aaron-gustafson.com/notebook/more-proof-we-dont-control-our-web-pages/
[3]: http://caniuse.com/#feat=contentsecuritypolicy
[4]: http://caniuse.com/#feat=contentsecuritypolicy2

258
translated/tech/20160912 Content Security Policy, Your Future Best Friend.md Normal file
View File

@ -0,0 +1,258 @@
内容安全策略CSP这种用法在 https://www.w3.org/html/ig/zh/wiki/CSP 的介绍那部分有,其它地方似乎不作翻译,个人认为这样更合适些),你未来最好的助手
=====
很久之前,我的个人网站被攻击了。我不知道它是如何发生的,但它确实发生了。幸运的是,攻击带来的破坏是很小的:一小段 JavaScript 被注入到了某些页面的底部。我更新了 FTP 和其它的凭证,清理了一些文件,事情就这样结束了。
有一点使我很恼火:在当时,还没有一种简便的方案能够使我知道那里有问题,更重要的是能够保护网站的访客不被这段恼人的代码所扰。
现在有一种方案出现了这种技术在两方面都十分的成功。它就是内容安全策略CSP
### 什么是 CSP?
这个想法十分简单:网站通过发送一个 CSP 头部,来告诉浏览器什么是被授权执行的与什么是需要被禁止的。
这里有一个 PHP 的例子:
```
<?php
header("Content-Security-Policy: <your directives>");
?>
```
#### 一些指令
你可以定义一些全局规则或者定义一些涉及某一类资源的规则:
```
default-src 'self' ;
# self = 同端口,同域名,同协议 => 允许
```
基础参数是 default-src如果没有为某一类资源设置指令规则那么浏览器就会使用这个参数值。
```
script-src 'self' www.google-analytics.com ;
# 从这些域名来的 JS 文件 => 允许
```
在这个例子中,我们已经授权了 www.google-analytics.com 这个域名来源的 JavaScript 文件使用到我们的网站上。我们也添加了 'self' 这个关键词;如果我们通过 script-src 来重新设置其它的规则指令,它将会覆盖 default-src 规则。
如果协议或端口没有被指明(这里的 scheme 从下文来看指的应该是 http https 这样的协议,所以这样翻,不知道是否合适),它就会强制选择与当前页面相同的协议或端口执行。这样做防止了混合内容(这个翻译的话 https://developer.mozilla.org/zh-CN/docs/Security/MixedContent 在这个内容中我可以看到有相关的翻译方式,但是这里要说的是这个概念和之前的 scheme 一样可能会包含较为丰富的内容,不清楚是否要添加一些注释)。如果页面是 https://example.com那么你将无法加载 http://www.google-analytics.com/file.js 因为它已经被禁止了(协议不匹配)。然而,有一个例外就是协议的提升是被允许的。如果 http://example.com 尝试加载 https://www.google-analytics.com/file.js接着协议或端口允许被更改以便协议的提升。
```
style-src 'self' data: ;
# Data-Uri 嵌入 CSS => 允许
```
在这个例子中,关键词 data授权了在 CSS 文件中内嵌内容。
在 CSP 1 规范下,你可能也会设置如下规则:
- `img-src`
有效的图片来源
- `connect-src`
应用于 XMLHttpRequestAJAXWebSocket 或 EventSource
- `font-src`
有效的字体来源
- `object-src`
有效的插件来源(例如,`<object><embed><applet>`
- `media-src`
有效的 `<audio> 和 <video>` 来源
CSP 2 包含了如下规则:
- `child-src`
有效的 web workers 和 元素来源,如 `<frame>``<iframe>` (这个指令用来替代 CSP 1 中不建议使用的 frame-src 指令)
- `form-action`
可以作为 HTML `<form>` action (这里 action 没有翻译是鉴于这是一个属性,也没有更好的处理方式)的有效来源
- `frame-ancestors`
使用 `<frame><iframe><object><embed> 或 <applet>` 内嵌资源的有效来源
- `upgrade-insecure-requests`
命令用户代理来重写 URL 的协议(这里又把 schemes 翻成了协议,还是没有找到更好的方法,这里的 user agents 指的应该是如浏览器之类的工具,不知是否需要注明一下),将 HTTP 改到 HTTPS (为一些需要重写大量陈旧 URL 的网站提供了方便)。
为了更好的向后兼容一些不被建议使用的属性,你可以简单的复制当前指令的内容同时为那个不被建议的指令创建一个相同的副本。例如,你可以复制 child-src的内容同时在 frame-src 中添加一份相同的副本。
CSP 2 允许你添加路径到白名单中CSP 1 只允许域名被添加到白名单中)。因此,相较于将整个 www.foo.com 域添加到白名单,你可以通过添加 www.foo.com/some/folder 这样的路径到白名单中来作更多的限制。这个需要浏览器中 CSP 2 的支持,但它很明显更安全。
#### 一个例子
我为 Paris Web 2015 大会上以 “[CSP in Action][1]” 为题的我的发言制作了一个简单的例子。
在没有 CSP 的情况下,页面展示如下图所示:
![](https://www.smashingmagazine.com/wp-content/uploads/2016/09/csp_smashing1b-500.jpg)
不是十分优美。要是我们启用了如下的 CSP 指令又会怎样呢?
```
<?php
header("Content-Security-Policy:
default-src 'self' ;
script-src 'self' www.google-analytics.com stats.g.doubleclick.net ;
style-src 'self' data: ;
img-src 'self' www.google-analytics.com stats.g.doubleclick.net data: ;
frame-src 'self' ;");
?>
```
浏览器将会作什么呢?它会(非常严格的)在 CSP 基础规则之下应用这些指令,这意味着任何没有在 CSP 指令中被授权允许的都将会被禁止“blocked” 指的是不被执行,不被显示并且不被使用在网站中)。
在 CSP 的默认设置中,内联脚本和样式是不被授权的,意味着每一个 `<script>`onclick 或 style 属性都将会被禁止。(这里 onclick 和 style 没有翻译,应该指的是属性,使用中也是这样用的,所以没有翻译)你可以使用 style-src 'unsafe-inline' ;指令来授权内联 CSS 的使用。
在一个支持 CSP 的现代浏览器中,示例看起来如下图:
![](https://www.smashingmagazine.com/wp-content/uploads/2016/09/csp_smashing5-500.jpg)
发生了什么?浏览器应用了指令并且拒绝了所有没有被授权的内容。它在终端中发送了这些通知:
![](https://www.smashingmagazine.com/wp-content/uploads/2016/09/csp_smashing2-500.jpg)
如果你依然不确定 CSP 的价值,请看一下 Aaron Gustafson 文章 ”[More Proof We Don't Control Our Web Pages][2]“。
当然,你可以使用比我们在示例中提供的更严格的指令:
- 设置 default-src 为 'none',
- 为每条规则指定你需要的,
- 为需要的文件指定它的绝对路径,
- 等。
### 更多关于 CSP 的信息
#### 支持
CSP 不是一个需要复杂的配置才能正常工作的每日构建特性这里没有按照字面翻译感觉像是有什么梗但是没有翻出来就按意义来了。CSP 1 和 2 是候选推荐标准![浏览器可以非常完美的支持 CSP 1][3]。
![](https://www.smashingmagazine.com/wp-content/uploads/2016/09/csp_smashing3-500.jpg)
[CSP 2 是较新的规范][4],因此对它的支持会少那么一点。
![](https://www.smashingmagazine.com/wp-content/uploads/2016/09/csp_smashing4-500.jpg)
现在 CSP 3 还是一个早期草案,因此还没有被支持,但是你依然可以使用 CSP 1 和 2 来做一些重大的事。
#### 其他需要考虑的因素
CSP 被设计用来降低跨站脚本执行XSS的风险这就是不建议开启内联脚本和 script-src 指令的原因。Firefox 对这个问题做了和好的说明:在浏览器中,敲击 Shift + F2 并且键入 security csp它就会向你展示指令和对应的建议。这里有一个在 Twitter 网站中应用的例子:
![](https://www.smashingmagazine.com/wp-content/uploads/2016/09/csp_smashing6b-500.jpg)
如果你确实需要使用内联脚本和样式的话,另一种可能就是生成一份散列值(这里的 hash value这样翻不太确定是否合适个人比较偏向这样吧。例如我们假定你需要使用如下的内联脚本
```
<script>alert('Hello, world.');</script>
```
你应该在 script-src 指令中添加 'sha256-qznLcsROx4GACP2dm0UCKCzCG-HiZ1guq6ZZDob_Tng=' 作为有效来源。这个散列值是有下面的 PHP 脚本执行获得的结果:
```
<?php
echo base64_encode(hash('sha256', "alert('Hello, world.');", true));
?>
```
我在前文中说过 CSP 被设计用来降低 XSS 风险,我还得加上“……与降低未经请求内容的风险。”伴随者 CSP 的使用你必须知道你内容的来源是哪里与他们在你的前端都作了些什么内联样式。CSP 同时可以帮助你让贡献者,开发和其他人员来遵循你内容来源的规则!
现在你的问题就只是,“不错,这很好,但是我们如何在生产环境中使用它呢?”
### 如何在现实世界中使用它
想要在第一次使用 CSP 之后就失望透顶的方法就是在生产环境中测试,不要想当然的认为,“这会很简单。我的代码是完美并且相当清晰的。”不要这样作。我这样干过。相信我这相当蠢。
正如我之前说明的CSP 指令由 CSP 头来激活其中没有中间地带。你恰恰就是其中的薄弱环节。你可能会忘记授权某些东西或者遗忘了你网站中的一小段代码。CSP 不会饶恕你的疏忽。然而CSP 的两个特性将这个问题变得相当的简单。
#### REPORT-URI这个也是指令所以没有翻译保留
还记得 CSP 发送到终端中的那些通知么report-uri 指令可以被用来告诉浏览器发送那些通知到指定的地址。报告以 JSON 格式送出。
```
report-uri /csp-parser.php ;
```
因此,我们可以在 csp-parser.php 文件中处理有浏览器送出的数据。这里有一个由 PHP 实现的最基础的例子:
```
$data = file_get_contents('php://input');
if ($data = json_decode($data, true)) {
$data = json_encode(
$data,
JSON_PRETTY_PRINT | JSON_UNESCAPED_SLASHES
);
mail(EMAIL, SUBJECT, $data);
}
```
这个通知将会被转换成为一封邮件。在开发过程中,你可能不会需要比这更复杂的其它东西。
对于一个生产环境(或者是一个有较多访问的开发环境),你应该使用一种比邮件更好的收集信息的方式,因为这种方式在节点上没有验证和速率限制,并且 CSP 可能变得乱哄哄的。只需想像一个会产生 100 个 CSP 通知(例如,一个从未授权来源展示图片的脚本)并且每天会被浏览 100 次的页面,那你就会每天收到 10,000 个通知啊!
例如 report-uri.io 这样的服务可以用来简化你的报告管理(感觉这里将 reporting 翻译成报告似乎有点不太通)。你也可以在 GitHub上看一些另外的使用 report-uri (与数据库搭配,添加一些优化,等)的简单例子。
### REPORT-ONLY这也是个属性所以没有翻译
正如我们所见的,最大的问题就是在使用和不使用 CSP 之间没有中间地带。然而,一个名为 report-only 的特性会发送一个稍有不同的头部:
```
<?php
header("Content-Security-Policy-Report-Only: <your directives>");
?>
```
总的来说,这个头部就是告诉浏览器,“表现得似乎所有的 CSP 指令都被应用了,但是不禁止任何东西。只是发送通知给自己。”这是一种相当棒的测试指令的方式,避免了任何有价值的东西被禁止的风险。
在 report-only 和 report-uri 的帮助下你可以毫无风险的测试 CSP 指令,并且可以实时的监控网站上一切与 CSP 相关的内容。这两个特性对部署和维护 CSP 来说真是相当的有用!
### 结论
#### 为什么 CSP 很酷
CSP 对你的用户来说是尤其重要的:他们在你的网站上不再需要遭受任何的未经请求的脚本,内容或 XSS 的威胁了。(感觉这句话好夸张,不知是不是我的理解有误,感觉有必要注释一下,不代表本站观点这样类似的东西)
对于网站维护者来说 CSP 最重要的优势就是可感知。如果你对图片来源设置了严格的规则,这时一个脚本小子尝试在你的网站上插入一张未授权来源的图片,那么这张图片就会被禁止,并且你会在第一时间收到提醒。
开发者也需要确切的知道他们的前端代码都在做些什么CSP 可以帮助他们掌控一切。会促使他们去重构他们代码中的某些部分(避免内联函数和样式,等)并且促使他们遵循最佳实践。
#### 如何让 CSP 变得更酷
讽刺的是CSP 在一些浏览器中过分的高效了,在和书签栏小程序一起使用时会产生一些 bug这里的 bug 和 bookmarklet 的翻译拿不准)。因此,不要更新你的 CSP 指令来允许书签栏小程序。我们无法单独的责备任何一个浏览器;它们都有些问题:
- Firefox
- Chrome (Blink)
- WebKit
大多数情况下,这些 bug 都是禁止通知中的误报。所有的浏览器提供者都在努力解决这些问题,因此我们可以期待很快就会被解决。无论怎样,这都不会成为你使用 CSP 的绊脚石。
--------------------------------------------------------------------------------
via: https://www.smashingmagazine.com/2016/09/content-security-policy-your-future-best-friend/?utm_source=webopsweekly&utm_medium=email
作者:[Nicolas Hoffmann][a]
译者:[wcnnbdk1](https://github.com/wcnnbdk1)
校对:[校对者ID](https://github.com/校对者ID)
本文由 [LCTT](https://github.com/LCTT/TranslateProject) 原创编译,[Linux中国](https://linux.cn/) 荣誉推出
[a]: https://www.smashingmagazine.com/author/nicolashoffmann/
[1]: https://rocssti.net/en/example-csp-paris-web2015
[2]: https://www.aaron-gustafson.com/notebook/more-proof-we-dont-control-our-web-pages/
[3]: http://caniuse.com/#feat=contentsecuritypolicy
[4]: http://caniuse.com/#feat=contentsecuritypolicy2