19

Is it safe to send Content-Security-Policy for dynamically generated pages with text/html and other hypertext content-types only or do I need to send this header for all files including static assets - images, JS and CSS files?

AlexD
  • 241
  • 1
  • 8
  • 1
    Is there a reason to do so? A reason against it would for example be ``text/xml`` content which can be rendered as (x)HTML, but I do not see the point in configuring the server to send different security headers based on mimetype. – allo May 25 '18 at 14:37
  • @allo the reason is that CSP headers can be generated by the web application so there is no need to update server configuration when developers need to update CSP. – AlexD May 25 '18 at 14:58
  • That's a good reason. Do you make sure there are no files which may contain dynamic content outside of the files generated by the web application? a ``png`` should be quite safe, but I would be not that sure for ``svg`` for instance or folders for user uploads and similar. – allo May 25 '18 at 15:04
  • @allo I have checked CSP standard and it mention that CSP applies to `svg` but I'm not sure about other types. – AlexD May 25 '18 at 15:13
  • 1
    Please see the answer referenced on StackOverFlow.com: https://stackoverflow.com/a/38167905/367988 – Basil A Mar 14 '19 at 08:25

1 Answers1

1

There are, cases where users can influence MIME type based on different factors. For example, IE can be fooled to render text/plain as text/html within certain circumstances. And, again there are various other MIME types which are rendered and can exfiltrate data. For example, even pdf files can execute JavaScript and so can Flash, SVG, XML or any other plug-in handled content types.

Therefore, it's best to apply CSP using configuration file on all rendered contents.

On a side note, always return correct content type with correct charset attribute along with X-Content-Type-Options: nosniff header.

1lastBr3ath
  • 909
  • 6
  • 13
  • I have `nosniff` already applied. For user uploaded files I can apply a strict CSP policy which doesn't need to change. But the files I have in mind are static assets of the web application which are managed by developers. – AlexD May 25 '18 at 17:34
  • Also, I understand that CSP can limit plugins used on the page but is the CSP honored by browser plugins? – AlexD May 25 '18 at 17:54
  • No, plug-ins can do whatever they want. And, please remember, on same origin, any MIME type can be sniffed unless instructed not to. – 1lastBr3ath May 26 '18 at 04:44
  • So, what is the point of applying CSP for a PDF if it is ignored by a plugin used to render it? – AlexD May 26 '18 at 16:24
  • Well, PDFs no longer require a separate plug-in. It is handled by the pdf.js library. – 1lastBr3ath May 26 '18 at 18:52
  • You were talking about plug-in handled content. So the same question - what is the point of applying CSP for a content-types which are handled by plugins which don't respect CSP? Also Chrome uses internal plugin for PDF, not pdf.js. – AlexD May 26 '18 at 20:05
  • Okay, I could be wrong though. It's the spec that says so, https://www.w3.org/TR/CSP3/#extensions; "Policy enforced on a resource SHOULD NOT interfere with the operation of user-agent features like addons, extensions, or bookmarklets. These kinds of features generally advance the user’s priority over page authors, as espoused in [HTML-DESIGN]." – 1lastBr3ath May 27 '18 at 06:36