Apache 跨域策略允许Youtube_Apache_Security_Centos_Xss_Content Security Policy

Apache 跨域策略允许Youtube

apache security centos

Apache 跨域策略允许Youtube,apache,security,centos,xss,content-security-policy,Apache,Security,Centos,Xss,Content Security Policy,我只想从我的网站，youtube和addthis脚本被加载，没有其他是允许的。这是我的crossdomain.xml <?xml version="1.0"?> <!DOCTYPE cross-domain-policy SYSTEM "http://www.adobe.com/xml/dtds/cross-domain-policy.dtd"> <cross-domain-policy> <allow-access-from domain="m

我只想从我的网站，youtube和addthis脚本被加载，没有其他是允许的。这是我的crossdomain.xml

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.adobe.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
    <allow-access-from domain="my website url"/>
    <allow-access-from domain="www.youtube.com"/>
    <allow-access-from domain="ct1.addthis.com"/>
</cross-domain-policy>

编辑2：

我已将其更改为以下内容，但仍得到相同的跟踪

    Header set X-Content-Security-Policy: "allow 'self' https://www.youtube.com; options inline-script; img-src 'self' data:"

如果要防止在指定脚本之外加载脚本，则需要一个而不是

crossdomain.xml

文件

CSP可以帮助防止攻击，因为只允许执行授权内容。因此，如果恶意用户向页面中注入某些脚本，则如果策略未指定

不安全内联

，脚本将不会执行

编辑后更新

如果您需要YouTube跨域访问您的站点，那么您需要实现。这本质上是您页面中的

访问控制允许源代码标题的输出，以允许其他域绕过并访问您的内容客户端。谢谢，我更新了原始帖子，有任何反馈吗？嗨，我没想到您回复得这么快，所以我编辑了一半！
Error in event handler for (unknown): Blocked a frame with origin "https://www.youtube.com" from accessing a cross-origin frame.
Stack trace: Error: Blocked a frame with origin "https://www.youtube.com" from accessing a cross-origin frame.
    at Error (native)
    at setupffoverrides (chrome-extension://hdokiejnpimakedhajhdlcegeplioahd/onloadwff.js:151:86)
    at checkgenpwfillforms (chrome-extension://hdokiejnpimakedhajhdlcegeplioahd/onloadwff.js:152:33)
    at receiveBG (chrome-extension://hdokiejnpimakedhajhdlcegeplioahd/onloadwff.js:130:210)
    at Function.target.(anonymous function) (extensions::SafeBuiltins:19:14)
    at EventImpl.dispatchToListener (extensions::event_bindings:395:22)
    at Function.target.(anonymous function) (extensions::SafeBuiltins:19:14)
    at Event.publicClass.(anonymous function) [as dispatchToListener] (extensions::utils:65:26)
    at EventImpl.dispatch_ (extensions::event_bindings:378:35)
    at EventImpl.dispatch (extensions::event_bindings:401:17) 

    Header set X-Content-Security-Policy: "allow 'self' https://www.youtube.com; options inline-script; img-src 'self' data:"