问题
Is it possible to detect a Content Security Policy violation with javascript?
My CSP works and sends its reports, where I see that some urls are injected, probably by browser addons. I would like to display a hint to the user, that some addon tries to modify the page.
Can I somehow detect the aborted connection with javascript (which is itself whitelisted in the CSP of course)?
回答1:
According to the W3C CSP specification, a violation triggers a securitypolicyviolation event. You can add an event listener for this.
document.addEventListener("securitypolicyviolation", function(e) {
alert("Something is trying something bad!");
});
See the above link for the properties of this event.
In Firefox Release, you need to enable the security.csp.enable_violation_events preference to enable this feature. See Experimental Features in Firefox documentation.
来源:https://stackoverflow.com/questions/40053592/detect-csp-violations-with-javascript