0

I face a CSP header something like this -

default-src https:; font-src https: data:; img-src https: data:; script-src https: 'unsafe-inline' 'unsafe-eval'; style-src https: 'unsafe-inline';

So is this is secure implementation?

This includes https: so should I consider that https://anyurlallowed?

Cloud Learner
  • 195
  • 1
  • 6
  • 1
    Answer down below. I wanted to ask, what made you think this *was* secure? –  Dec 01 '21 at 14:19
  • Thanks actually I wasn;t 100% sure what exactly https: means. – Cloud Learner Dec 01 '21 at 14:22
  • You can find proper documentation [here](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy) –  Dec 01 '21 at 14:56

1 Answers1

2

No, this is not safe.

The fact that your script-src includes 'unsafe-inline' and 'unsafe-eval' means that it provides no defense against Cross-Site Scripting.

Furthermore, https: does indeed mean it allows inclusion of any source using https, such as https://attackercontrolleddomainfromwhichyoudefinitelyshouldneverexecuteanyjavascriptfrom.com