<!DOCTYPE html>
<html lang="en">
<head>
<meta charset="utf-8" />
<title>Twitter</title>
<style>
body {
background-color: #ffffff;
font-family: sans-serif;
}
a {
color: #1da1f2;
}
svg {
color: #1da1f2;
display: block;
fill: currentcolor;
height: 21px;
margin: 13px auto;
width: 24px;
}
</style>
</head>
<body>
<noscript>
<<span class="pl-ent"><span class="pl-bu">center</span></span>>If you’re not redirected soon, please <<span class="pl-ent">a</span> <span class="pl-e">href</span>=<span class="pl-s"><span class="pl-pds">"</span>/<span class="pl-pds">"</span></span>>use this link</<span class="pl-ent">a</span>>.</<span class="pl-ent"><span class="pl-bu">center</span></span>>
</<span class="pl-ent">noscript</span>>
<<span class="pl-ent">script</span> <span class="pl-e">nonce</span>=<span class="pl-s"><span class="pl-pds">"</span>SG0bV9rOanQfzG0ccU8WQw==<span class="pl-pds">"</span></span>><span class="pl-s1"></span>
document.cookie = "app_shell_visited=1;path=/;max-age=5";
location.replace(location.href.split("#")[0]);
</script>
</body>
</html>
相比平时看到的其他站点的源码,可以说是很清爽了。没有乱七八糟的标签,功能却一样不少。特别有迷惑性,以为这便是页面所有的源码,但查看 DevTools 的 Source 面板后很容易知道这并不是真实的 HTML 代码。但为何页面源码给出的是如此清爽的版本,这里先不研究。
document.cookie = "app_shell_visited=1;path=/;max-age=5";
location.replace(location.href.split("#")[0]);
</script></pre></div>
nonce
https:
https:
Content-Security-Policy
<meta>
Content-Security-Policy
<meta>
<meta>
Content-Security-Policy
<meta>
Content-Security-Policy: <policy-directive>; <policy-directive>…
script-src
img-src
base-uri
<base>
child-src
child-src https:
connect-src
font-src
font-src https:
form-action
<form>
frame-ancestors
child-src
<frame>
<iframe>
<embed>
<applet>
<meta>
frame-src
tochild-src
img-src
media-src
object-src
plugin-types
report-uri
<meta>
style-src
upgrade-insecure-requests
worker-src
child-src
frame-ancestors
frame-ancestors
child-src
*
img-src
default-src
img-src
*
default-src
default-src
default-src ‘self’
Content-Security-Policy: default-src ‘self’; img-src https:
<meta>
script-src 'self' https:
self
none
https:
none
csp_test.html
test.js
alert(‘来自 test.js 的问候!’)
none
self
example.com
api.example.com
unsafe-inline
unsafe-eval
eval
setTimeout
script-src
style-src
default-src 'self' ‘unsave-inline’
unsafe-inline
unsafe-eval
onclick=“myHandler”
href=“javascript:;”
Content-Security-Policy
Content-Security-Policy: script-src 'nonce-EDNnf03nceIOfn39fn3e9h3sdfa'
nonce-
<style>
noce
nonce
Content-Security-Policy: script-src 'sha256-qznLcsROx4GACP2dm0UCKCzCG-HiZ1guq6ZZDob_Tng='
setTimeout/setInterval
setTimout(‘alert(1)’,1000)
eval
eval(‘alert(1)’)
Function
new Function(‘alert(1)’)
unsafe-eval
eval
Function
setTimeout/setInterval
*
*:
example.com
example.com
http:
http:
http:
http:
URI = scheme:[
authority
authority = [userinfo@]host[:port]
*.example.com
example.com
self
self
Content-Security-Policy
connect-src
http:
connect-src
none
none
Content-Security-Policy: default-src 'self' http:
connect-src 'none';
Content-Security-Policy: connect-src http:
script-src http:
default-src
default-src
*
Content-Security-Policy
report-uri
Content-Security-Policy: default-src 'self'; ...; report-uri /my_amazing_csp_report_parser;
report-uri
Content-Security-Policy-Report-Only
Content-Security-Policy
Content-Security-Policy-Report-Only: default-src 'self'; ...; report-uri /my_amazing_csp_report_parser;
Content-Security-Policy: img-src *;
Content-Security-Policy-Report-Only: img-src ‘none’; report-uri http:
img-src ‘none’
CC BY-NC-SA 署名-非商业性使用-相同方式共享
【推荐】国内首个AI IDE,深度理解中文开发场景,立即下载体验Trae
【推荐】编程新体验,更懂你的AI,立即体验豆包MarsCode编程助手
【推荐】抖音旗下AI助手豆包,你的智能百科全书,全免费不限次数
【推荐】轻量又高性能的 SSH 工具 IShell:AI 加持,快人一步
· 如何编写易于单元测试的代码
· 10年+ .NET Coder 心语,封装的思维:从隐藏、稳定开始理解其本质意义
· .NET Core 中如何实现缓存的预热?
· 从 HTTP 原因短语缺失研究 HTTP/2 和 HTTP/3 的设计差异
· AI与.NET技术实操系列:向量存储与相似性搜索在 .NET 中的实现
· 周边上新:园子的第一款马克杯温暖上架
· Open-Sora 2.0 重磅开源!
· .NET周刊【3月第1期 2025-03-02】
· 分享 3 个 .NET 开源的文件压缩处理库,助力快速实现文件压缩解压功能!
· [AI/GPT/综述] AI Agent的设计模式综述