Guides
Access control CORS
Authentication
Browser detection using the user agent
Caching
Caching FAQ
Compression
Conditional requests
Connection management in HTTP 1.x
Content negotiation
Content negotiation: List of default Accept values
Cookies
CSP
Messages
Overview
Protocol upgrade mechanism
Proxy servers and tunneling
Proxy servers and tunneling: Proxy Auto-Configuration (PAC) file
Public Key Pinning
Range requests
Redirections
Resources and specifications
Resources and URIs
Response codes
Server-Side Access Control
Session
Guides: Basics
Basics of HTTP
Choosing between www and non-www URLs
Data URIs
Evolution of HTTP
Identifying resources on the Web
MIME Types
MIME types: Complete list of MIME types
CSP
Content-Security-Policy
Content-Security-Policy-Report-Only
CSP: base-uri
CSP: block-all-mixed-content
CSP: child-src
CSP: connect-src
CSP: default-src
CSP: font-src
CSP: form-action
CSP: frame-ancestors
CSP: frame-src
CSP: img-src
CSP: manifest-src
CSP: media-src
CSP: object-src
CSP: plugin-types
CSP: referrer
CSP: report-uri
CSP: require-sri-for
CSP: sandbox
CSP: script-src
CSP: style-src
CSP: upgrade-insecure-requests
CSP: worker-src
Headers
Accept
Accept-Charset
Accept-Encoding
Accept-Language
Accept-Ranges
Access-Control-Allow-Credentials
Access-Control-Allow-Headers
Access-Control-Allow-Methods
Access-Control-Allow-Origin
Access-Control-Expose-Headers
Access-Control-Max-Age
Access-Control-Request-Headers
Access-Control-Request-Method
Age
Allow
Authorization
Cache-Control
Connection
Content-Disposition
Content-Encoding
Content-Language
Content-Length
Content-Location
Content-Range
Content-Type
Cookie
Cookie2
Date
DNT
ETag
Expect
Expires
Forwarded
From
Headers
Host
If-Match
If-Modified-Since
If-None-Match
If-Range
If-Unmodified-Since
Keep-Alive
Large-Allocation
Last-Modified
Location
Origin
Pragma
Proxy-Authenticate
Proxy-Authorization
Public-Key-Pins
Public-Key-Pins-Report-Only
Range
Referer
Referrer-Policy
Retry-After
Server
Set-Cookie
Set-Cookie2
SourceMap
Strict-Transport-Security
TE
Tk
Trailer
Transfer-Encoding
Upgrade-Insecure-Requests
User-Agent
User-Agent: Firefox
Vary
Via
Warning
WWW-Authenticate
X-Content-Type-Options
X-DNS-Prefetch-Control
X-Forwarded-For
X-Forwarded-Host
X-Forwarded-Proto
X-Frame-Options
X-XSS-Protection
Methods
CONNECT
DELETE
GET
HEAD
Methods
OPTIONS
PATCH
POST
PUT
Status
100 Continue
101 Switching Protocols
200 OK
201 Created
202 Accepted
203 Non-Authoritative Information
204 No Content
205 Reset Content
206 Partial Content
300 Multiple Choices
301 Moved Permanently
302 Found
303 See Other
304 Not Modified
307 Temporary Redirect
308 Permanent Redirect
400 Bad Request
401 Unauthorized
403 Forbidden
404 Not Found
405 Method Not Allowed
406 Not Acceptable
407 Proxy Authentication Required
408 Request Timeout
409 Conflict
410 Gone
411 Length Required
412 Precondition Failed
413 Payload Too Large
414 URI Too Long
415 Unsupported Media Type
416 Range Not Satisfiable
417 Expectation Failed
426 Upgrade Required
428 Precondition Required
429 Too Many Requests
431 Request Header Fields Too Large
451 Unavailable For Legal Reasons
500 Internal Server Error
501 Not Implemented
502 Bad Gateway
503 Service Unavailable
504 Gateway Timeout
505 HTTP Version Not Supported
511 Network Authentication Required
Status
©
本文档使用 PHP中文网手册 发布
文字
弃用
该功能已从Web标准中删除。尽管一些浏览器可能仍然支持它,但它正在被丢弃。避免使用它并尽可能更新现有的代码;请参阅本页底部的兼容性表格来指导您的决定。请注意,此功能可能随时停止工作。
不推荐使用的HTTP Content-Security-Policy(CSP)report-uri指令指示用户代理报告违反内容安全策略的企图。这些违规报告由通过HTTP POST请求发送到指定URI的JSON文档组成。
尽管report-to指令旨在取代已弃用的report-uri指令,report-to但在大多数浏览器中仍不受支持。因此,对于当前浏览器的同时,还加入向前兼容的浏览器时获得的兼容性report-to支持,您可以同时指定report-uri和report-to:
Content-Security-Policy: ...; report-uri https://endpoint.com; report-to groupname
在支持的浏览器中report-to,report-uri指令将被忽略。
该指令本身没有任何影响,但仅与其他指令结合起来才有意义。
CSP版本 | 1 |
|---|---|
指令类型 | 报告指令 |
| 该指令在<meta>元素中不受支持。|
句法
Content-Security-Policy: report-uri <uri>;
<uri>将报告发布到的URI。
示例
请参阅Content-Security-Policy-Report-Only更多信息和示例。
Content-Security-Policy: default-src https:; report-uri /csp-violation-report-endpoint/
/csp-violation-report-endpoint/ 例如可以运行一个如下所示的PHP,它记录详细说明违规的JSON,并且如果该违规是第一个添加到日志文件的违规,则向管理员发送一封电子邮件:
<?php// Start configure
$log_file = dirname(__FILE__) . '/csp-violations.log';
$log_file_size_limit = 1000000; // bytes - once exceeded no further entries are added
$email_address = 'admin@example.com';
$email_subject = 'Content-Security-Policy violation';// End configuration
$current_domain = preg_replace('/www\./i', '', $_SERVER['SERVER_NAME']);
$email_subject = $email_subject . ' on ' . $current_domain;http_response_code(204);
// HTTP 204 No Content$json_data = file_get_contents('php://input');
// We pretty print the JSON before adding it to the log file
if ($json_data = json_decode($json_data)) {
$json_data = json_encode($json_data, JSON_PRETTY_PRINT | JSON_UNESCAPED_SLASHES);
if (!file_exists($log_file)) {
// Send an email
$message = "The following Content-Security-Policy violation occurred on " .
$current_domain . ":\n\n" .
$json_data . "\n\nFurther CPS violations will be logged to the following log file, but no further email notifications will be sent until this log file is deleted:\n\n" .
$log_file; mail($email_address, $email_subject, $message, 'Content-Type: text/plain;charset=utf-8');
} else if (filesize($log_file) > $log_file_size_limit) {
exit(0);
} file_put_contents($log_file, $json_data, FILE_APPEND | LOCK_EX);
}
?>规范
规范 | 状态 | 评论 |
|---|---|---|
内容安全策略级别3该规范中“report-uri”的定义。 | 编辑草稿 | 没有变化。 |
内容安全策略级别2该规范中的'report-uri'的定义。 | 建议 | 初始定义。 |
浏览器兼容性
特征 | Chrome | Edge | Firefox | Internet Explorer | Opera | Safari |
|---|---|---|---|---|---|---|
基本支持 | 25 | 14 | 23.0 | No | 15 | 7 |
特征 | Android | Chrome for Android | Edge mobile | Firefox for Android | IE mobile | Opera Android | iOS Safari |
|---|---|---|---|---|---|---|---|
基本支持 | (Yes) | (Yes) | ? | 23.0 | No | ? | 7.1 |