问题
I'm at least 90% sure that the following is a result of Chrome's implementation of W3C's CSP standard, but I thought that it'd be best to double down and make sure.
I'm currently in the process of implementing a strict content security policy for a client, and I've run into the following policy directive complications on Chrome 66:
Unrecognized Content-Security-Policy directive 'disown-opener'.
Unrecognized Content-Security-Policy directive 'reflected-xss'.
Unrecognized Content-Security-Policy directive 'referrer'.
Again, I'm sure this is a standards issue (as I'm using MDN’s CSP documentation). If this is the case, can anyone direct me to competing or substituting directives?
回答1:
Unrecognized Content-Security-Policy directive 'reflected-xss'
The reflected-xss directive was removed from the CSP spec more than a year ago. But you can use the X-XSS-Protection header to get exactly the same effect reflected-xss was meant for.
Unrecognized Content-Security-Policy directive 'referrer'.
The referrer directive was dropped a long time ago. Use the Referrer-Policy header instead.
Unrecognized Content-Security-Policy directive 'disown-opener'
Use rel=noopener on any external links. It’s supported in all modern browsers except Edge.
来源:https://stackoverflow.com/questions/50575265/unrecognized-content-security-policy-directives-disown-opener-reflected-xss-r