������ CSP ��� ���� �������� ������ 1 CSP (Content Security Policy) HTML Meta �� HTTP Header � ��� �� CSP ���� CSP ���� 2 2 CSP �� 1 Content-Security-Policy Content-Security-Policy-Report-Only ��������� ������� �� �� ���� ���� 3 ��������� ������������ ������“��”���� 5 ���� � ���� 1 ������������� CGI���� ����� 6 �� ����������� �������� ��������� �� Web �� ������� �� ���� ������� 1 �� 2 ���� �XSS���-CSP������ https://github.com/joeyguo/blog/issues/5 ����������-�����Script error� ����������-����������

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 246 22.6. Content Security Policy (CSP) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . application requirements. 22.6. Content Security Policy (CSP) In Wicket 9 support for a Content Security Policy (or CSP) has been added. CSP is an added layer of security that helps to detect and mitigate data theft to site defacement to distribution of malware. See MDN for more information on CSP. The default CSP set by Wicket is very strict. It requires all scripts and stylesheets to be rendered 248

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 245 22.6. Content Security Policy (CSP) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . application requirements. 22.6. Content Security Policy (CSP) In Wicket 9 support for a Content Security Policy (or CSP) has been added. CSP is an added layer of security that helps to detect and mitigate data theft to site defacement to distribution of malware. See MDN for more information on CSP. The default CSP set by Wicket is very strict. It requires all scripts and stylesheets to be rendered 247

improvements (PR #3368) • Set notebook to dirty state after change to kernel metadata (PR #3350) • Use CSP header to treat served files as belonging to a separate origin (PR #3341) • Don’t install gettext ‘No proxy for’ field. 9.5.2 Content-Security-Policy (CSP) Certain security guidelines recommend that servers use a Content-Security-Policy (CSP) header to prevent cross-site scripting vulnerabilities communication). Jupyter uses WebSockets for interacting with kernels, so when you visit a server with such a CSP, your browser will block attempts to use wss, which will cause you to see “Connection failed” messages

improvements (PR #3368) • Set notebook to dirty state after change to kernel metadata (PR #3350) • Use CSP header to treat served files as belonging to a separate origin (PR #3341) • Don’t install gettext ‘No proxy for’ field. 9.5.2 Content-Security-Policy (CSP) Certain security guidelines recommend that servers use a Content-Security-Policy (CSP) header to prevent cross-site scripting vulnerabilities communication). Jupyter uses WebSockets for interacting with kernels, so when you visit a server with such a CSP, your browser will block attempts to use wss, which will cause you to see “Connection failed” messages

improvements (PR #3368) • Set notebook to dirty state after change to kernel metadata (PR #3350) • Use CSP header to treat served files as belonging to a separate origin (PR #3341) • Don’t install gettext ‘No proxy for’ field. 9.5.2 Content-Security-Policy (CSP) Certain security guidelines recommend that servers use a Content-Security-Policy (CSP) header to prevent cross-site scripting vulnerabilities communication). Jupyter uses WebSockets for interacting with kernels, so when you visit a server with such a CSP, your browser will block attempts to use wss, which will cause you to see “Connection failed” messages

improvements (PR #3368) • Set notebook to dirty state after change to kernel metadata (PR #3350) • Use CSP header to treat served files as belonging to a separate origin (PR #3341) • Don’t install gettext ‘No proxy for’ field. 9.5.2 Content-Security-Policy (CSP) Certain security guidelines recommend that servers use a Content-Security-Policy (CSP) header to prevent cross-site scripting vulnerabilities communication). Jupyter uses WebSockets for interacting with kernels, so when you visit a server with such a CSP, your browser will block attempts to use wss, which will cause you to see “Connection failed” messages

improvements (PR #3368) • Set notebook to dirty state after change to kernel metadata (PR #3350) • Use CSP header to treat served files as belonging to a separate origin (PR #3341) • Don’t install gettext ‘No proxy for’ field. 9.5.2 Content-Security-Policy (CSP) Certain security guidelines recommend that servers use a Content-Security-Policy (CSP) header to prevent cross-site scripting vulnerabilities communication). Jupyter uses WebSockets for interacting with kernels, so when you visit a server with such a CSP, your browser will block attempts to use wss, which will cause you to see “Connection failed” messages

improvements (PR #3368) • Set notebook to dirty state after change to kernel metadata (PR #3350) • Use CSP header to treat served files as belonging to a separate origin (PR #3341) • Don’t install gettext ‘No proxy for’ field. 9.5.2 Content-Security-Policy (CSP) Certain security guidelines recommend that servers use a Content-Security-Policy (CSP) header to prevent cross-site scripting vulnerabilities communication). Jupyter uses WebSockets for interacting with kernels, so when you visit a server with such a CSP, your browser will block attempts to use wss, which will cause you to see “Connection failed” messages

improvements (PR #3368) • Set notebook to dirty state after change to kernel metadata (PR #3350) • Use CSP header to treat served files as belonging to a separate origin (PR #3341) • Don’t install gettext ‘No proxy for’ field. 9.5.2 Content-Security-Policy (CSP) Certain security guidelines recommend that servers use a Content-Security-Policy (CSP) header to prevent cross-site scripting vulnerabilities communication). Jupyter uses WebSockets for interacting with kernels, so when you visit a server with such a CSP, your browser will block attempts to use wss, which will cause you to see “Connection failed” messages