What is the maximally permissive Content-Security-Policy?

后端 未结 2 662
一生所求
一生所求 2020-12-30 10:03

I have a large, legacy codebase that I\'d like to introduce the Content-Security-Policy header on. It is not feasible in the short term to truly lock-down the s

相关标签:
2条回答
  • 2020-12-30 10:46

    tl;dr use "report only" mode to introduce a policy to a legacy site.

    See w3.org/TR/CSP2/#source-list-guid-matching.

    As defined above, special URL schemes that refer to specific pieces of unique content, such as "data:", "blob:" and "filesystem:" are excluded from matching a policy of * and must be explicitly listed.

    Therefor, something along the lines of default-src * 'unsafe-eval' 'unsafe-inline' 'unsafe-dynamic' data: filesystem: about: blob: ws: wss: is probably close to the most lenient policy. There are more protocols that may need to be whitelisted, of course.


    HOWEVER

    Typically people take the opposite approach. They will deploy the header with Content-Security-Policy-Report-Only: default-src 'none' which will not affect the loading of your site and will allow you to ratchet down your policy based on the violations or console warnings.

    I highly recommend you start with the caspr chrome extension to create an initial policy and then use report-uri.io to view report violations. When your policy seems stable and violations are minimal, then switch your policy to enforce mode.

    0 讨论(0)
  • 2020-12-30 10:52

    Try

    default-src *  data: blob: filesystem: about: ws: wss: 'unsafe-inline' 'unsafe-eval' 'unsafe-dynamic'; 
    script-src * 'unsafe-inline' 'unsafe-eval'; 
    connect-src * 'unsafe-inline'; 
    img-src * data: blob: 'unsafe-inline'; 
    frame-src *; 
    style-src * data: blob: 'unsafe-inline';
    font-src * data: blob: 'unsafe-inline';
    

    Even with this, you might still find violations, if you find them, report it to me!

    0 讨论(0)
提交回复
热议问题