问题
Is it possible prevent inline JavaScript on Internet Explorer 11 using CSP on ASP.NET WebForm? I know IE 11 does not support Content Security Policy Level 2 but it seen that support Level 1.0. I tried many way and there is not a clear answer out there. I tried:
- Response.AddHeader("X-Content-Security-Policy", "script-src 'none'");
- Response.AddHeader("X-Content-Security-Policy","script-src 'self'");
- Response.AddHeader("Content-Security-Policy", "script-src 'self'");
it's not working.
Thanks! Albert Torres
回答1:
See here - IE 11 only has partial support.
Partial support in Internet Explorer 10-11 refers to the browser only supporting the
sandboxdirective by using theX-Content-Security-Policyheader
However, you could try this sandbox directive. Description here:
Enables a sandbox for the requested resource similar to the iframe sandbox attribute. The sandbox applies a same origin policy, prevents popups, plugins and script execution is blocked. You can keep the sandbox value empty to keep all restrictions in place
e.g.
X-Content-Security-Policy: sandbox
来源:https://stackoverflow.com/questions/42704605/prevent-inline-javascript-on-internet-explorer-11-using-content-security-policy