[wordpress插件] Content Security Policy Pro内容安全政策专业版

The idea is quite simple: By sending a CSP header from a website, you are telling the browser what it is authorized to execute and what it is authorized to block.

这个想法非常简单：通过从网站发送CSP标头，就可以告诉浏览器被授权执行什么以及被阻止什么。

And by doing this, Content Security Policy helps block the XSS vulnerabilities.

通过这样做，内容安全策略有助于阻止XSS漏洞。

CSP allows a host to specify a whitelist of approved sources that a browser can load content from and is an effective countermeasure for XSS attacks.

CSP允许主机指定允许浏览器从中加载内容的许可来源白名单，这是XSS攻击的有效对策。

Content Security Policy is delivered via a HTTP response header, much like HSTS, and defines approved sources of content that the browser may load.

内容安全策略是通过HTTP响应标头（类似于HSTS）传递的，它定义了浏览器可以加载的已批准内容来源。

It can be an effective countermeasure to Cross Site Scripting (XSS) attacks and is also widely supported and usually easily deployed.

它可以作为跨站点脚本（XSS）攻击的有效对策，并且得到广泛支持，并且通常很容易部署。

CSP Directives

CSP指令

* default-src: Define loading policy for all resources type in case of a resource type dedicated directive is not defined (fallback),

* default-src：在未定义资源类型专用指令的情况下为所有资源类型定义加载策略（备用），

* script-src: Define which scripts the protected resource can execute,

* script-src：定义受保护资源可以执行哪些脚本，

* object-src: Define from where the protected resource can load plugins,

* object-src：定义受保护资源可以从何处加载插件，

* style-src: Define which styles (CSS) the user applies to the protected resource,

* style-src：定义用户将哪些样式（CSS）应用于受保护的资源，

* img-src: Define from where the protected resource can load images,

* img-src：定义受保护资源从何处可以加载图像，

* media-src: Define from where the protected resource can load video and audio,

* media-src：定义受保护资源可以从何处加载视频和音频，

* frame-src: Define from where the protected resource can embed frames,

* frame-src：定义受保护资源可从何处嵌入帧，

* font-src: Define from where the protected resource can load fonts,

* font-src：定义受保护资源从何处可以加载字体，

* connect-src: Define which URIs the protected resource can load using script interfaces,

* connect-src：使用脚本接口定义受保护资源可以加载的URI，

* form-action: Define which URIs can be used as the action of HTML form elements,

* form-action：定义哪些URI可以用作HTML表单元素的操作，

* sandbox: Specifies an HTML sandbox policy that the user agent applies to the protected resource,

*沙箱：指定用户代理应用于受保护资源的HTML沙箱策略，

* script-nonce: Define script execution by requiring the presence of the specified nonce on script elements,

* script-nonce：通过要求脚本元素上存在指定的随机数来定义脚本执行，

* plugin-types: Define the set of plugins that can be invoked by the protected resource by limiting the types of resources that can be embedded,

* plugin-types：通过限制可以嵌入的资源类型来定义受保护资源可以调用的插件集，

* reflected-xss: Instructs a user agent to activate or deactivate any heuristics used to filter or block reflected cross-site scripting attacks, equivalent to the effects of the non-standard X-XSS-Protection header,

* reflected-xss：指示用户代理激活或停用用于过滤或阻止反射的跨站点脚本攻击的任何启发式方法，等效于非标准X-XSS-Protection标头的作用，

* report-uri: Specifies a URI to which the user agent sends reports about policy violation

* report-uri：指定用户代理向其发送有关违反政策的报告的URI

Written By

写人

This plugin was written by Laxman Thapa, Web Developer.

此插件由Laxman Thapa， Web开发人员编写。

1. Install using the WordPress built-in Plugin installer, or Extract the zip file and drop the contents in the wp-content/plugins/ directory of your WordPress installation.
2. 使用WordPress内置插件安装程序进行安装，或提取zip文件并将其内容拖放到WordPress安装的 wp-content / plugins / 目录中。

3. Activate the plugin through the ‘Plugins’ menu in WordPress.
4. 通过WordPress中的“插件”菜单激活插件。

5. Go to ADMIN > WP CSP
6. 转到ADMIN> WP CSP

7. Now you you add directive rules on this page
8. 现在您在此页面上添加指令规则

For more info on the directives check @ html5 rocks

有关指令的更多信息，请检查@ html5岩石

> or smashingmagazine.com.

>或 smashingmagazine.com 。