月份:2015年8月

Content Security Policy介绍

csp,防止xss攻击

本文介绍的是W3C的Content Security Policy,简称CSP。顾名思义,这个规范与内容安全有关,主要是用来定义页面可以加载哪些资源,减少XSS的发生。

Chrome扩展已经引入了CSP,通过manifest.json中的content_security_policy字段来定义。一些现代浏览器也支持通过响应头来定义CSP。下面我们主要介绍如何通过响应头来使用CSP,Chrome扩展中CSP的使用可以参考Chrome官方文档

浏览器兼容性

早期的Chrome是通过X-WebKit-CSP响应头来支持CSP的,而firefox和IE则支持X-Content-Security- Policy,Chrome25和Firefox23开始支持标准的的Content-Security-Policy,见下表。

响应头 Chrome Firefox Safari IE
Content-Security-Policy 25+ 23+
X-Content-Security-Policy 4.0+ 10.0(有限的)
X-Webkit-CSP 14+ 6+

完整的浏览器CSP支持情况请移步CanIUse

如何使用

要使用CSP,只需要服务端输出类似这样的响应头就行了:

Content-Security-Policy: default-src 'self'

default-src是CSP指令,多个指令之间用英文分号分割;’self’是指令值,多个指令值用英文空格分割。目前,有这些CSP指令:

指令 指令值示例 说明
default-src ‘self’ cnd.a.com 定义针对所有类型(js、image、css、web font,ajax请求,iframe,多媒体等)资源的默认加载策略,某类型资源如果没有单独定义策略,就使用默认的。
script-src ‘self’ js.a.com 定义针对JavaScript的加载策略。
style-src ‘self’ css.a.com 定义针对样式的加载策略。
img-src ‘self’ img.a.com 定义针对图片的加载策略。
connect-src ‘self’ 针对Ajax、WebSocket等请求的加载策略。不允许的情况下,浏览器会模拟一个状态为400的响应。
font-src font.a.com 针对Web Font的加载策略。
object-src ‘self’ 针对<object>、<embed>或<applet>等标签引入的flash等插件的加载策略。
media-src media.a.com 针对<audio>或<video>等标签引入的html多媒体的加载策略。
frame-src ‘self’ 针对frame的加载策略。
sandbox allow-forms 对请求的资源启用sandbox(类似于iframe的sandbox属性)。
report-uri /report-uri 告诉浏览器如果请求的资源不被策略允许时,往哪个地址提交日志信息。

特别的:如果只想让浏览器汇报日志,而不阻止任何内容。可以改用Content-Security-Policy-Report-Only响应头。

指令值可以由下面这些内容组成:

指令值 指令示例 说明
* img-src * 允许任何内容。
‘none’ img-src ‘none’ 不允许任何内容。
‘self’ img-src ‘self’ 允许来自相同来源的内容(相同的协议、域名和端口)。
data img-src data 允许data:协议(例如base64编码的图片)。
www.a.com img-src img.a.com 允许加载指定域名的资源。
*.a.com img-src *.a.com 允许加载a.com任何子域的资源。
https://img.com img-src https://img.com 允许加载img.com的https资源(协议需匹配)。
https: img-src https: 允许加载https资源。
‘unsafe-inline’ script-src ‘unsafe-inline’ 允许加载inline资源(例如常见的style属性,onclick,inline js和inline css等等)。
‘unsafe-eval’ script-src ‘unsafe-eval’ 允许加载动态js代码,例如eval()。

从上面的介绍可以看到,CSP协议可以控制的内容非常多。而且如果不特别指定’unsafe-inline’时,页面上所有inline的样式和脚 本都不会执行;不特别指定’unsafe-eval’,页面上不允许使用new Function,setTimeout,eval等方式执行动态代码。在限制了页面资源来源之后,被XSS的风险确实小不少。

当然,仅仅依靠CSP来防范XSS是远远不够的,不支持全部浏览器是它的硬伤。不过,鉴于低廉的开发成本,加上也没什么坏处。如果担心影响面太大,也可以像下面这样,仅收集不匹配规则的日志,先观察下:

Content-Security-Policy-Report-Only: script-src 'self'; report-uri http://test/

这样,如果页面上有inline的JS,依然会执行,只是浏览器会向指定地址发送一个post请求,包含这样的信息:

{"csp-report":{"document-uri":"http://test/test.php","referrer":"","violated-directive":"script-src 'self'","original-policy":"script-src 'self'; report-uri http://test/","blocked-uri":""}}

文章来源:http://www.2cto.com/Article/201307/230739.html

mysql数据库配置文件和Can’t create/write to file(errno13)

Can’t create/write to file ‘/tmp/#sql_8e6_0.MYI’ (Errcode: 13)

在ubuntu8。04环境下用新立得安装了mysql,启动服务器没有问题,登录创建数据库,创建表也没有问题
就是有一点,我describe 表的时候出现错误:
mysql> desc pet;
ERROR 1 (HY000): Can’t create/write to file ‘/tmp/#sql_157f_0.MYI’ (Errcode: 13);

sudo /etc/init.d/mysql start启动服务器

mysql -u root -p +密码登录
我已经给root用户增设了权限
mysql> grant allprivileges on *.* to root@localhost;
对于下面我附加的我的my.cnf文件中的
tmpdir = /tmp
我已经修改了她的权限
桌面$ sudo chown root:root /tmp
桌面$ sudo chmod 1777 /tmp
但是无论如何还是不能desc +表;
还有就是我向表中添加数据,删除数据,查询数据都没有问题,真是急死人。
下面是我的附加的my.cnf文件
我的是在/etc/mysql目录下

#
# The MySQL database server configuration file.
#
# You can copy this to one of:
# – “/etc/mysql/my.cnf” to set global options,
# – “~/.my.cnf” to set user-specific options.
#
# One can use all long options that the program supports.
# Run program with –help to get a list of available options and with
# –print-defaults to see which it would actually understand and use.
#
# For explanations see
http://dev.mysql.com/doc/mysql/en/serve … ables.html

# This will be passed to all mysql clients
# It has been reported that passwords should be enclosed with ticks/quotes
# escpecially if they contain “#” chars…
# Remember to edit /etc/mysql/debian.cnf when changing the socket location.
[client]
port = 3306
socket = /var/run/mysqld/mysqld.sock

# Here is entries for some specific programs
# The following values assume you have at least 32M ram

# This was formally known as [safe_mysqld]. Both versions are currently parsed.
[mysqld_safe]
socket = /var/run/mysqld/mysqld.sock
nice = 0

[mysqld]
#
# * Basic Settings
#

#
# * IMPORTANT
# If you make changes to these settings and your system uses apparmor, you may
# also need to also adjust /etc/apparmor.d/usr.sbin.mysqld.
#

user = mysql
pid-file = /var/run/mysqld/mysqld.pid
socket = /var/run/mysqld/mysqld.sock
port = 3306
basedir = /usr
datadir = /var/lib/mysql
tmpdir = /tmp
language = /usr/share/mysql/english
skip-external-locking
#
# Instead of skip-networking the default is now to listen only on
# localhost which is more compatible and is not less secure.
bind-address = 127.0.0.1
#
# * Fine Tuning
#
key_buffer = 16M
max_allowed_packet = 16M
thread_stack = 128K
thread_cache_size = 8
#max_connections = 100
#table_cache = 64
#thread_concurrency = 10
#
# * Query Cache Configuration
#
query_cache_limit = 1M
query_cache_size = 16M
#
# * Logging and Replication
#
# Both location gets rotated by the cronjob.
# Be aware that this log type is a performance killer.
#log = /var/log/mysql/mysql.log
#
# Error logging goes to syslog. This is a Debian improvement :)
#
# Here you can see queries with especially long duration
#log_slow_queries = /var/log/mysql/mysql-slow.log
#long_query_time = 2
#log-queries-not-using-indexes
#
# The following can be used as easy to replay backup logs or for replication.
# note: if you are setting up a replication slave, see README.Debian about
# other settings you may need to change.
#server-id = 1
#log_bin = /var/log/mysql/mysql-bin.log
expire_logs_days = 10
max_binlog_size = 100M
#binlog_do_db = include_database_name
#binlog_ignore_db = include_database_name
#
# * BerkeleyDB
#
# Using BerkeleyDB is now discouraged as its support will cease in 5.1.12.
skip-bdb
#
# * InnoDB
#
# InnoDB is enabled by default with a 10MB datafile in /var/lib/mysql/.
# Read the manual for more InnoDB related options. There are many!
# You might want to disable InnoDB to shrink the mysqld process by circa 100MB.
#skip-innodb
#
# * Security Features
#
# Read the manual, too, if you want chroot!
# chroot = /var/lib/mysql/
#
# For generating SSL certificates I recommend the OpenSSL GUI “tinyca”.
#
# ssl-ca=/etc/mysql/cacert.pem
# ssl-cert=/etc/mysql/server-cert.pem
# ssl-key=/etc/mysql/server-key.pem

[mysqldump]
quick
quote-names
max_allowed_packet = 16M

[mysql]
#no-auto-rehash # faster start of mysql but no tab completition

[isamchk]
key_buffer = 16M

#
# * NDB Cluster
#
# See /usr/share/doc/mysql-server-*/README.Debian for more information.
#
# The following configuration is read by the NDB Data Nodes (ndbd processes)
# not from the NDB Management Nodes (ndb_mgmd processes).
#
# [MYSQL_CLUSTER]
# ndb-connectstring=127.0.0.1

#
# * IMPORTANT: Additional settings that can override those from this file!
# The files must end with ‘.cnf’, otherwise they’ll be ignored.
#
!includedir /etc/mysql/conf.d/

解决方法:

Try the following:
1.mkdir /var/lib/mysql/tmp
2.chmod mysql:mysql /var/lib/mysql/tmp
3.Add the following line into the[mysql]section:tmpdir = /var/lib/mysql/tmp
4.restart the server

我尝试上面建议的操作:
1.肯定没有问题,创建一个文件夹/var/lib/mysql/tmp
2.肯定有问题,压根就没有发现过这样的用法,可能这个帖子是给高手看的,反思了半天,我才知道说的是:
chown mysql:mysql /var/lib/mysql/tmp(自己查看chmod和chown的作用和用法)
3.看似没有问题,其实是有问题,他说的是Add,其实不是添加的意思,而是修改的意思
4.没有问题
经过修改中的修改我的mysql正常运行了
mysql> desc pet;
+———+———-+——+—–+———+——-+
| Field | Type | Null | Key | Default | Extra |
+———+———-+——+—–+———+——-+
| name | char(10) | YES | | NULL | |
| address | char(20) | YES | | NULL | |
+———+———-+——+—–+———+——-+

这个问题困扰了我一个月之久,希望对遇到或者将来有可能遇到这类问题的有志之士有所帮助。
当然,系统和机子不一样可能有所不同,望因事而异!

 

文章来源:http://blog.csdn.net/samxx8/article/details/7608136