How to detect Content Security Policy (CSP)

后端未结

关注

 6  1546

长发绾君心 2021-01-03 21:19

I noticed that GitHub and Facebook are both implementing this policy now, which restricts third party scripts from being run within their experience/site.

Is there a

6条回答

不知归路 (楼主)

2021-01-03 21:59
An easy way to detect support for CSP is just by checking if JavaScript's eval()-method can be run without throwing an error, like so:
```
try {
    eval("return false;");
} catch (e) {
    return true;
}
```
However, this only works if CSP is actually turned on (obviously), with Content-Security-Policy being set in the response headers the page loaded with, and without 'unsafe-eval' in script-src.

I came here looking for a way to detect CSP support in browsers without CSP actually being turned on. It would seem this is not possible though.

On a side note, IE does not support CSP, only the sandbox directive in IE 10+, which, by looking at the CSP standard, does not make it a conformant web browser.
0 讨论(0)

查看其它6个回答
发布评论:

提交评论
- 加载中...