What is happening when I have two CSP (Content Security Policies) policies - header & meta?

后端 未结 1 1676
野性不改
野性不改 2020-11-27 06:56

Question is regarding having CSP served twice:

What\'s the behavior if there is one policy served through the Content-Security-Policy HTTP resp

相关标签:
1条回答
  • 2020-11-27 07:35

    If you have CSP directives specified both in a Content-Security-Policy HTTP header and in a meta element, the browser uses the most-restrictive CSP directives, wherever they’re specified.

    See the details on multiple polices at https://w3c.github.io/webappsec-csp/#multiple-policies and the details on use of the meta element at https://w3c.github.io/webappsec-csp/#meta-element:

    Note: A policy specified via a meta element will be enforced along with any other policies active for the protected resource, regardless of where they’re specified. The general impact of enforcing multiple policies is described in §8.1 The effect of multiple policies.

    8.1. The effect of multiple policies

    The impact is that adding additional policies to the list of policies to enforce can only further restrict the capabilities of the protected resource.

    0 讨论(0)
提交回复
热议问题