内容安全策略 (CSP)

Tauri 限制了 HTML 页面的内容安全策略 (CSP)。这可用于减少或防止常见的基于 Web 的漏洞（如跨站点脚本 (XSS)）的影响。

¥Tauri restricts the Content Security Policy (CSP) of your HTML pages. This can be used to reduce or prevent impact of common web based vulnerabilities like cross-site-scripting (XSS).

本地脚本经过哈希处理，样式和外部脚本使用加密随机数引用，这可防止加载不允许的内容。

¥Local scripts are hashed, styles and external scripts are referenced using a cryptographic nonce, which prevents unallowed content from being loaded.

:::caution 提醒

避免加载远程内容（例如通过 CDN 提供的脚本），因为它们会引入攻击媒介。一般来说，任何不受信任的文件都可能引入新的和微妙的攻击媒介。

¥Avoid loading remote content such as scripts served over a CDN as they introduce an attack vector. In general any untrusted file can introduce new and subtle attack vectors.

:::

CSP 保护仅在 Tauri 配置文件上设置后才启用。你应该尽可能地限制它，只允许 webview 从你信任的主机（最好是拥有的主机）加载资源。在编译时，Tauri 会自动将其 nonces 和哈希值附加到打包代码和资源的相关 CSP 属性中，因此你只需担心应用独有的内容。

¥The CSP protection is only enabled if set on the Tauri configuration file. You should make it as restricted as possible, only allowing the webview to load assets from hosts you trust, and preferably own. At compile time, Tauri appends its nonces and hashes to the relevant CSP attributes automatically to bundled code and assets, so you only need to worry about what is unique to your application.

这是从 Tauri 的 api 示例中获取的示例 CSP 配置，但每个应用开发者都需要根据自己的应用需求进行调整。

¥This is an example CSP configuration taken from the api example of Tauri, but every application developer needs to tailor this to their own application needs.

  "csp": {
        "default-src": "'self' customprotocol: asset:",
        "connect-src": "ipc: http://ipc.localhost",
        "font-src": ["https://fonts.gstatic.com"],
        "img-src": "'self' asset: http://asset.localhost blob: data:",
        "style-src": "'unsafe-inline' 'self' https://fonts.googleapis.com"
      },

有关如何创建代码签名的 CSR，请参阅 script-src。

¥See script-src, style-src and CSP Sources for more information about this protection.