问题
Is it possible to configure the Content-Security-Policy to not block anything at all? I'm running a computer security class, and our web hacking project is running into issues on newer versions of Chrome because without any CSP headers, it's automatically blocking certain XSS attacks.
回答1:
For people who still want an even more permissive posts, because the other answers were just not permissive enough, and they must work with google chrome for which * is just not enough:
default-src * data: blob: 'unsafe-inline' 'unsafe-eval';
script-src * data: blob: 'unsafe-inline' 'unsafe-eval';
connect-src * data: blob: 'unsafe-inline';
img-src * data: blob: 'unsafe-inline';
frame-src * data: blob: ;
style-src * data: blob: 'unsafe-inline';
font-src * data: blob: 'unsafe-inline';
回答2:
It's not secure at all, but as staring point the real allow all policy is:
default-src * 'unsafe-inline' 'unsafe-eval'; script-src * 'unsafe-inline' 'unsafe-eval'; connect-src * 'unsafe-inline'; img-src * data: blob: 'unsafe-inline'; frame-src *; style-src * 'unsafe-inline';
See: https://content-security-policy.com/ and this CSP migration guide.
回答3:
The best way would be not applying any policy.
But to answer your question, an "allow all policy" would probably be:
default-src * 'unsafe-inline' 'unsafe-eval' data: blob:;
Note: untested
来源:https://stackoverflow.com/questions/35978863/allow-all-content-security-policy