<!doctype html>
<html lang="en">
<head>
<meta http-equiv="Content-Security-Policy" content="frame-ancestors 'self'">
<meta charset="utf-8">
<title>QA Eval Webapp</title>
<base href="/">
<meta name="viewport" content="width=device-width, initial-scale=1">
<link rel="icon" type="image/x-icon" href="favicon.ico">
</head>
<body>
<app-root></app-root>
</body>
</html>
但是,当我们尝试将页面作为iframe加载时,它会加载。我们已经在谷歌chrome上进行了测试。
为了解决这个问题,我们构建了angular项目,将dist下的文件移到了一个web应用程序中,添加了一个过滤器,将CSP头添加到每个请求的响应中。下面是代码
package com.web.beginner;
import java.io.IOException;
import javax.servlet.Filter;
import javax.servlet.FilterChain;
import javax.servlet.FilterConfig;
import javax.servlet.ServletException;
import javax.servlet.ServletRequest;
import javax.servlet.ServletResponse;
import javax.servlet.annotation.WebFilter;
import javax.servlet.http.HttpServletResponse;
@WebFilter(urlPatterns="/*", filterName = "cspfilter")
public class CSPFilter implements Filter {
@Override
public void destroy() {
// TODO Auto-generated method stub
}
@Override
public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain) throws IOException, ServletException {
HttpServletResponse httpResponse = (HttpServletResponse) response;
httpResponse.setHeader("Content-Security-Policy", "frame-ancestors 'self'");
chain.doFilter(request, response);
}
@Override
public void init(FilterConfig arg0) throws ServletException {
// TODO Auto-generated method stub
}
}
这很管用。
为什么CSP头在添加到meta标签时不起作用?我甚至查过了
https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy
他们提到在meta标签中添加CSP。
我知道X-FRAME-OPTIONS不支持html元标记。内容安全策略也一样吗?或者chrome忽略了meta标签中的CSP?
