https://www.roblox.com/

扫描 ID：: fc37aed1-bd4b-4d34-9860-b861512c3eaa已完成
提交的 URL：: https://roblox.com/已重定向
报告完成时间：: 2025年1月4日 12:12:57

风险 · 找到 0 个

可能带来安全风险的做法

安全标头 · 找到 4 个

可以增强 Web 应用程序安全性的 HTTP 响应标头

名称	值	支持	信息
Strict-Transport-Security	max-age=3600	良性	声明只能通过安全连接 (HTTPS) 访问网站。单击可了解更多信息...
X-Frame-Options	SAMEORIGIN	良性	表明是否允许浏览器在 <frame>、<iframe>、<embed> 或 <object> 中渲染页面。单击可了解更多信息...
X-Content-Type-Options	—	良性	表明应该遵循 Content-Type 标头中公布的 MIME 类型，并且不得进行更改。单击可了解更多信息...
Content-Security-Policy	report-uri https://metrics.roblox.com/v1/csp/report?type=enforce; upgrade-insecure-requests; script-src 'self' 'unsafe-inline' apis.roblox.com roblox.com .evidon.com .gigya.com .google-analytics.com .ns1p.net adservice.google.com cdn.arkoselabs.com connect.facebook.net funcaptcha.com js.rbxcdn.com js.stripe.com long.open.weixin.qq.com midas.gtimg.cn radar.cedexis.com res.wx.qq.com roblox-api.arkoselabs.com arkoselabs.roblox.com roblox-load-generator-configuration.s3.us-east-2.amazonaws.com s.ytimg.com sb.scorecardresearch.com static.rbxcdn.com www.google.com www.gstatic.com www.youtube.com h.online-metrix.net request.eprotect.vantivcnp.com request.eprotect.vantivpostlive.com .googletagmanager.com .googleadservices.com googleads.g.doubleclick.net cdn.veriff.me .lightstep.com client-api.arkoselabs.com api.arkoselabs.com .sierra.chat sierra.chat sc-static.net .sc-static.net .snapchat.com .tapad.com analytics.tiktok.com; img-src* 'self' data: .cloudfront.net .gilcdn.com .gldcdn.com .google-analytics.com .google.com .kaptcha.com .rblx.org .rbxcdn.com .roblox.com .robloxlabs.com googleads.g.doubleclick.net i.ytimg.com www.googletagmanager.com robloxcorp.s.llnwi.net roblox-poc.global.ssl.fastly.net d1unuk07s6td74.cloudfront.net .sierra.chat sierra.chat .stripe.com .tarobicdn.com .tarobidevsandboxcdn.com www.facebook.com .snapchat.com; connect-src* 'self' .roblox.com .robloxlabs.com .rblx.org .rbx.com .rbxcdn.com .roblox.cn .simulpong.com .lightstep.com .ns1p.net .arkoselabs.com .kaptcha.com .google.com .google-analytics.com .doubleclick.net .sentry.io wss://realtime.roblox.com wss://realtime.sitetest1.robloxlabs.com wss://realtime.sitetest2.robloxlabs.com wss://realtime.sitetest3.robloxlabs.com wss://realtime-signalr.roblox.com .braintree-api.com .braintreegateway.com d1q2u37vreaobr.cloudfront.net funcaptcha.com robloxcorp.s.llnwi.net roblox-poc.global.ssl.fastly.net d1unuk07s6td74.cloudfront.net .sierra.chat sierra.chat sc-static.net .sc-static.net .snapchat.com *.tapad.com analytics.tiktok.com;	良性	控制允许用户代理为指定页面加载的资源。单击可了解更多信息...
Referrer-Policy	—	良性	控制请求中应该包含多少引荐者信息。单击可了解更多信息...
Clear-Site-Data	—	良性	控制客户端浏览器为来源服务器存储的数据。单击可了解更多信息...
X-Permitted-Cross-Domain-Policies	—	良性	控制 Web 客户端（例如 Adobe Flash Player 或 Adobe Acrobat）是否拥有跨域处理数据的权限。单击可了解更多信息...
Permissions-Policy	—	新	允许和拒绝在文档或 iframe 中使用浏览器功能。单击可了解更多信息...
Cross-Origin-Embedder-Policy	—	新	配置将跨源资源嵌入到文档中。单击可了解更多信息...
Cross-Origin-Opener-Policy	same-origin-allow-popups	新	确保顶级文档不与跨源文档共享浏览背景组。单击可了解更多信息...
Cross-Origin-Resource-Policy	—	新	请求浏览器阻止对给定资源的 no-cors 跨源/跨站点请求。单击可了解更多信息...
X-XSS-Protection	—	停用	已弃用。当检测到页面遭受反射式跨站点脚本 (XSS) 攻击时，停止加载页面。单击可了解更多信息...
Feature-Policy	—	停用	已弃用。替换为 Permissions-Policy 标头。单击可了解更多信息...
Expect-CT	—	停用	已弃用。选择加入报告和/或执行证书透明度要求。单击可了解更多信息...
Public-Key-Pins	—	停用	已弃用。允许 HTTPS 网站抵御攻击者使用错误颁发的或其他欺诈性证书进行假冒。单击可了解更多信息...

安全违规行为 · 找到 10 个

违反安全策略的请求或资源

违规	类型	信息
资源 https://www.roblox.com/ 描述 Access to XMLHttpRequest at 'https://metrics.roblox.com/v1/thumbnails/metadata' from origin 'https://www.roblox.com' has been blocked by CORS policy: Request header field 1 is not allowed by Access-Control-Allow-Headers in preflight response.	Cross-Origin Resource Sharing	Controls which external origins are allowed load resources. 单击可了解更多信息...
资源 https://www.roblox.com/ 描述 Access to XMLHttpRequest at 'https://apis.roblox.com/universal-app-configuration/v1/behaviors/page-heartbeat-v2/content' from origin 'https://www.roblox.com' has been blocked by CORS policy: Request header field 1 is not allowed by Access-Control-Allow-Headers in preflight response.	Cross-Origin Resource Sharing	Controls which external origins are allowed load resources. 单击可了解更多信息...
资源 https://www.roblox.com/ 描述 Access to XMLHttpRequest at 'https://apis.rbxcdn.com/captcha/v1/metadata' from origin 'https://www.roblox.com' has been blocked by CORS policy: Response to preflight request doesn't pass access control check: It does not have HTTP ok status.	Cross-Origin Resource Sharing	Controls which external origins are allowed load resources. 单击可了解更多信息...
资源 https://www.roblox.com/ 描述 Access to font at 'https://css.rbxcdn.com/e1f6e032096b2924e561c3928b9dc73d-BuilderSans-Regular.woff2' from origin 'https://www.roblox.com' has been blocked by CORS policy: Response to preflight request doesn't pass access control check: It does not have HTTP ok status.	Cross-Origin Resource Sharing	Controls which external origins are allowed load resources. 单击可了解更多信息...
资源 https://www.roblox.com/ 描述 Access to font at 'https://css.rbxcdn.com/60df02cbc9b6a531c2d3cf32025a4dc8-BuilderSans-Bold.woff2' from origin 'https://www.roblox.com' has been blocked by CORS policy: Response to preflight request doesn't pass access control check: It does not have HTTP ok status.	Cross-Origin Resource Sharing	Controls which external origins are allowed load resources. 单击可了解更多信息...
资源 https://www.roblox.com/ 描述 Access to XMLHttpRequest at 'https://apis.roblox.com/universal-app-configuration/v1/behaviors/cookie-policy/content' from origin 'https://www.roblox.com' has been blocked by CORS policy: Request header field 1 is not allowed by Access-Control-Allow-Headers in preflight response.	Cross-Origin Resource Sharing	Controls which external origins are allowed load resources. 单击可了解更多信息...
资源 https://www.roblox.com/ 描述 Access to font at 'https://css.rbxcdn.com/cc7ad65e0558327d8fbe8ade40ab94e8-BuilderSans-Medium.woff2' from origin 'https://www.roblox.com' has been blocked by CORS policy: Response to preflight request doesn't pass access control check: It does not have HTTP ok status.	Cross-Origin Resource Sharing	Controls which external origins are allowed load resources. 单击可了解更多信息...
资源 https://www.roblox.com/ 描述 Access to font at 'https://css.rbxcdn.com/3a390ad6e476846a971ab5923cb9ff1e-BuilderSans-Regular.woff' from origin 'https://www.roblox.com' has been blocked by CORS policy: Response to preflight request doesn't pass access control check: It does not have HTTP ok status.	Cross-Origin Resource Sharing	Controls which external origins are allowed load resources. 单击可了解更多信息...
资源 https://www.roblox.com/ 描述 Access to font at 'https://css.rbxcdn.com/27762afe0183d3d8ede503d4f5ad00b5-BuilderSans-Bold.woff' from origin 'https://www.roblox.com' has been blocked by CORS policy: Response to preflight request doesn't pass access control check: It does not have HTTP ok status.	Cross-Origin Resource Sharing	Controls which external origins are allowed load resources. 单击可了解更多信息...
资源 https://www.roblox.com/ 描述 Access to font at 'https://css.rbxcdn.com/0c1b1b913a2ad4b51e9a8aced52b4362-BuilderSans-Medium.woff' from origin 'https://www.roblox.com' has been blocked by CORS policy: Response to preflight request doesn't pass access control check: It does not have HTTP ok status.	Cross-Origin Resource Sharing	Controls which external origins are allowed load resources. 单击可了解更多信息...

证书 · 找到· 2 个

SSL/TLS 证书使网站能够加密客户端和服务器之间的事务并提供服务器身份验证

主题	颁发日期	到期日期
roblox.com	2024年11月4日 00:00:00	2025年11月4日 23:59:59
*.rbxcdn.com	2024年7月30日 00:00:00	2025年7月30日 23:59:59