Questions tagged [content-security-policy]

This tag is for the Content-Security-Policy HTTP header. For policies in companies, use [corporate-policy].

Content Security Policy is a HTTP header, designed to tell the browser what sources a website is allowed to request data from.

The following is an example of a Content Security Policy header:

script-src 'strict-dynamic' 'nonce-rAnd0m123' 'unsafe-inline' http: https:;
object-src 'none';
base-uri 'none';
report-uri https://csp.example.com;

The header consists of several directives, such as default-src, script-src, object-src or style-src. Each of these directives defines where the corresponding content may be loaded from.

For example, style-src 'self' means that stylesheets may only be loaded from the same origin as the main document. img-src https: means that images can be included from anywhere, as long as the https schema is being used.

The Mozilla docs contain an in-depth article on the Content Security Policy header, its versions and its usage.

186 questions

votes

2 answers

Is including the data scheme in your Content Security Policy safe?

I have a Cordova app that transforms some images to base64. This violates CSP with this message: Refused to load the image 'data:image/svg+xml;charset=US-ASCII,%3C%3Fxml%20version%3D%221.0%22%20encod…E%3C%2Fg%...%3C%2Fsvg%3E' because it violates…

xss content-security-policy

asked Jul 26 '15 at 17:58

Martin Verner

votes

2 answers

XSS prevention through Content Security Policy

How can Content Security Policy (CSP) significantly reduce the risk and impact of XSS attacks in modern browsers? Is it possible to circumvent CSP in order to execute XSS?

xss content-security-policy

asked Jun 25 '13 at 13:48

Ali Ahmad

4,784
8
35
61

votes

4 answers

Can I trust public code versioning platforms when building a social platform?

We are developing a kind of social platform. It starts as a closed beta for a limited number of users, but the goal is to reach millions of subscriptions. We are currently limited on resources, both infrastructure and e.g. DevOps. So we are using…

secure-coding content-security-policy

asked Feb 03 '19 at 14:45

ooouuiii

votes

1 answer

Is it safe to send Content-Security-Policy header for text/html content-type only?

Is it safe to send Content-Security-Policy for dynamically generated pages with text/html and other hypertext content-types only or do I need to send this header for all files including static assets - images, JS and CSS files?

content-security-policy

asked May 25 '18 at 14:14

AlexD

votes

5 answers

CSP allowing all Google domains?

I'm trying to develop a CSP for the site https://www.lidl-tour.ro. Right now there is a policy than runs in report-only-mode, so nothing is blocked at the moment. The site contacts googleads.g.doubleclick.net and stats.g.doubleclick.net. So I have…

google content-security-policy third-party

asked Dec 15 '16 at 11:13

HorstKevin

1,328
2
14
27

votes

2 answers

Why is CSP needed to protect against img-src leak?

GitHub explains the problem with img-src in "GitHub's post-CSP journey": A tag with an unclosed quote will capture all output up to the next matching quote. This could include security sensitive content on the pages such as:

web-application sql-injection html content-security-policy

asked Jan 26 '17 at 07:53

griffon vulture

votes

3 answers

Content-Security-Policy hash of script

However I still receive in Chrome: Refused to execute inline…

hash xss http html content-security-policy

asked May 27 '14 at 01:42

Steven R.

votes

1 answer

Is allowing blob: in Content-Security-Policy a risk?

Recently, I've set Content-Security-Policy headers for my web application. I've tried to be as strict as possible. What strikes me most is the fact that I had to allow blob: for connect-src and img-src due to a third-party component. (Both…

xss content-security-policy

asked Jul 25 '18 at 05:58

cis

votes

3 answers

HTTP Content-Security-Policy Nonce and Caching

Is anyone here able to clarify how caching affects adding a nonce=value to all inline javascript? If the nonce must be unique and unpredictable, then one would need to disable all server-side (i.e. Varnish, Cloudfront, etc) caching on the pages that…

http javascript content-security-policy caching

asked Dec 02 '16 at 23:22

user2687991

votes

2 answers

Iframe inheriting parent's Content Security Policy

I have a parent page that has a Content Security Policy on it. The main purpose of CSP is not to prevent XSS, but to prevent network access. This page has to run some user generated/submitted HTML/CSS/JS. I am running this user content in an iframe…

content-security-policy iframe microsoft-edge

asked Nov 11 '16 at 10:53

tapananand

votes

3 answers

CSP Reports: Ignoring Client Malware

I'm seeing a lot of Content Security Policy (CSP) reports raised because of client-side malware. Many have "blocked-uri" entries like randomstring.cloudfront.net, something.akamaihd.net and so on. I would like to detect CSP reports caused by…

malware content-security-policy

asked May 15 '14 at 09:21

Jackson Pauls

votes

1 answer

What's the difference between frame-ancestors and child-src?

Both options seem to control who can embed the content in an