CODEWITHSUNDEEP
httpbrowserhttp-headerscontent-security-policy
MrProper
MrProper

Reputation: 1580

Content security policy not working

I am adding to my response header this header:

x-content-security-policy default-src 'none';

I would expect no css or images to be loaded on the page, but everything is loaded. What am I doing wrong?

Upvotes: 3

Views: 8479

Answers (4)

Freejoy
Freejoy

Reputation: 283

You might try including Header set before using Content-Security-Policy: Like this:

Header set Content-Security-Policy:

Upvotes: 0

Colselaw
Colselaw

Reputation: 1079

For Chrome and newer (v. 23 and newer) versions of Firefox:

Content-Security-Policy: default-src 'none'

For Safari:

X-Webkit-CSP: default-src 'none'

For older versions of Firefox (v. 23 and older):

X-Content-Security-Policy: default-src 'none'

Sorry - with IE, only the sandbox policy is recognized, and that only in IE 10 and newer.

Upvotes: 4

kravietz
kravietz

Reputation: 11285

CSP headers now come in at least three flavours and support is very different among browser versions. I'd recommend using just the most standard one (Content-Security-Policy), initially in the report-only mode (Content-Security-Policy-Report-Only). See https://en.wikipedia.org/wiki/Content_Security_Policy#Status for details. You can also try a "iterative" approach to building your content security policy using http://cspbuilder.info/

Upvotes: 0

dAm2K
dAm2K

Reputation: 10349

I'm using firefox, and it is working for me. This is the header I'm adding in response:

Content-Security-Policy: default-src 'none'

Try to remove "x-", and try with other browsers.

Upvotes: 1

Related Questions