IT Security Stack Exchange
IT Security Stack Exchange

Questions tagged [content-security-policy]

This tag is for the Content-Security-Policy HTTP header. For policies in companies, use [corporate-policy].

Content Security Policy is a HTTP header, designed to tell the browser what sources a website is allowed to request data from.

The following is an example of a Content Security Policy header:

script-src 'strict-dynamic' 'nonce-rAnd0m123' 'unsafe-inline' http: https:;
object-src 'none';
base-uri 'none';
report-uri https://csp.example.com;

The header consists of several directives, such as default-src, script-src, object-src or style-src. Each of these directives defines where the corresponding content may be loaded from.

For example, style-src 'self' means that stylesheets may only be loaded from the same origin as the main document. img-src https: means that images can be included from anywhere, as long as the https schema is being used.

The Mozilla docs contain an in-depth article on the Content Security Policy header, its versions and its usage.

199 questions
19
votes
1 answer

Is it safe to send Content-Security-Policy header for text/html content-type only?

Is it safe to send Content-Security-Policy for dynamically generated pages with text/html and other hypertext content-types only or do I need to send this header for all files including static assets - images, JS and CSS files?
AlexD
  • 276
  • 1
  • 9
8
votes
1 answer

Content Security Policy Style Hash

I have an img tag on a page with an line style that looks like this: style="height:50px;width:180px;display:block;" I can't move it to an external stylesheet because the img tag is generated by a 3rd party control. So I copied the hash displayed in…
td48260
  • 83
  • 1
  • 4
6
votes
2 answers

What is the behaviour of CSP if default-src not specified?

Basically all in the title. Imagine a simple CSP like Content-Security-Policy: script-src 'self' What is the behaviour of directives that would normally fall back to default-src which are not specified such as img-src or frame-src? Will they…
Mike Ounsworth
  • 59,005
  • 21
  • 158
  • 212
5
votes
1 answer

Is CSP meant to be used with HTTPS (TLS) only?

If a site uses HTTP and not HTTPS, is it useful to include a Content Security Policy? Can an adversary not just remove it?
savx2
  • 153
  • 4
5
votes
1 answer

Why does Chrome claim that this stylesheet violates the Content Security Policy?

I have a website in which I include several CSS stylesheets from my own server and one stylesheet from a remote server. I wanted to write my Content Security Policy in a way to permit all local stylesheets, and only this one specific remote style…
user163495
4
votes
3 answers

When is content security policy (CSP) not appropriate?

We've recently conducted a security review of our identity server website and one of the finding was about missing CSP header. We do have implementation of request filter to add CSP on a controller level. So my question is, is there any…
MichaelChan
  • 245
  • 1
  • 4
  • 10
4
votes
1 answer

SRI for CSP - how do I get the hash for inline code?

I have been messing about with website design for years, but I am no expert - more of a hardware junkie. CSP is fascinating for me now that I am starting to branch out into web development. I was really battling with hashes for my scripts because I…
Flatspin
  • 41
  • 6
3
votes
2 answers

Benefit of permissive Content-Security-Policy

I am new to the concept of Content-Security-Policy (CSP) so please forgive my ignorance. The site https://securityheaders.com parses headers and provides a score. For example unibet.com is awarded a favorable "A" grading while having this security…
Andreas F
  • 131
  • 4
3
votes
0 answers

Understanding CSP: report shows blocked