Content Security Policy

๐Ÿšง

CSP ๋ฆฌ์ŠคํŠธ๋Š” SDK๊ฐ€ ์ œ๊ณตํ•˜๋Š” ๊ธฐ๋Šฅ์ด ๋ณ€๊ฒฝ ๋จ์— ๋”ฐ๋ผ ์–ธ์ œ๋“ ์ง€ ์ˆ˜์ •๋  ์ˆ˜ ์žˆ์Šต๋‹ˆ๋‹ค.

Content Security Policy(CSP)๋Š” Cross-Site-Scripting (XSS), Clickjacking, Pixel-Perfect timing attacks๊ณผ ๊ฐ™์€ ์ฝ”๋“œ ์ธ์ ์…˜(Code injection) ๊ณต๊ฒฉ์„ ๋ฐฉ์ง€ํ•˜๊ธฐ ์œ„ํ•œ ์›น ๋ณด์•ˆ ๊ธฐ์ค€์ž…๋‹ˆ๋‹ค.

๋งŒ์•ฝ CSP๋ฅผ ์ง€์›ํ•˜๊ณ ์ž ํ•œ๋‹ค๋ฉด, ํ™”์ดํŠธ ๋ฆฌ์ŠคํŠธ์— ์•„๋ž˜ ์ฑ„๋„ํ†ก์˜ CSP ๋ฆฌ์ŠคํŠธ๋ฅผ ์ถ”๊ฐ€ํ•ฉ๋‹ˆ๋‹ค.

default-src
  *.channel.io
  *.channel.app
  *.cdninstagram.com

connect-src
  *.channel.io
  *.channel.app
  *.sentry.io
  wss://*.channel.io
  wss://*.desk-ws.channel.io
  wss://*.front-ws.channel.io

script-src
  'unsafe-inline'
  *.channel.io
  *.sentry-cdn.com

style-src
  'unsafe-inline'

img-src
  *.channel.io
  *.cdninstagram.com
  blob:

script-src ํ•˜์œ„์˜ 'unsafe-inline'๋Š” ์„ค์น˜ํ•˜๊ธฐ์— ์†Œ๊ฐœ๋œ ์ธ๋ผ์ธ ์Šคํฌ๋ฆฝํŠธ(inline script)๋ฅผ ์‚ฌ์šฉํ•˜๋Š” ๊ฒฝ์šฐ์—๋งŒ ํ•„์š”ํ•ฉ๋‹ˆ๋‹ค. 'unsafe-inline'๋Š” nonce- ํ‚ค์›Œ๋“œ๋กœ ๋Œ€์ฒด ๊ฐ€๋Šฅํ•ฉ๋‹ˆ๋‹ค. ๋” ์ž์„ธํ•œ ๋‚ด์šฉ์€ CSP: script-src๋ฅผ ์ฐธ๊ณ ํ•ฉ๋‹ˆ๋‹ค.